Authentication Tools - Cipafilter Documentation

Manual - Authentication Tools

This page provides information and tools related to authentication.

Authentication Records

This table lists all records currently recognized by the system's authentication engine.  For each record, the IP address, host name, user name, group name, TTL (seconds left until expiry), and source of authentication are listed, where applicable.  Users who are authorized but not actually authenticated are listed with their IP address as the user name.  A record may be manually expired (deleted) by clicking its trash icon.  The Re-authenticate All button will force the system to reload all records — note that this may place a temporary but significant load on the filter and any authentication back-ends it is configured for.

Persistent Authentication Tokens

This table lists all users who have a persistent authentication token for the captive portal.  For each record, the user name, number of tokens (this usually corresponds to the total number of devices and browsers the user has used to log in to the portal), number of sessions the user currently has active as a result of persistent authentication, and date and time of the last token's creation are listed.  Clicking a record's trash icon will delete all tokens for the associated user and also de-authenticate any active persistent-auth sessions, forcing the user to manually log back in.  Sessions which are not the result of persistent authentication will not be de-authenticated.

Test Authentication

This tool can be used to test the group membership that would be applied to a particular user/IP combination.  Only the user name is required.  When no IP address is supplied, the specified credentials will be queried against all configured authentication back-ends, and the tool will (where applicable) report the first group result which matches the group configuration on the filter.  If a password is supplied, the query will test its validity; an incorrect password will result in a failed query.  If an IP address is supplied, it will be matched against the filter's authorized proxy subnet rules.

Directory Cache

This tab lists information about the filter's internal directory cache.  This cache is used, where supported, to prevent unnecessary load on external authentication services like Google Directory and Active Directory.  The cache is automatically updated every 30 minutes.  Only user/group names, group memberships, and related metadata required for log-in and group placement are stored locally;  the filter does not cache passwords or non-authentication-related data.  Note that the number of records listed for each authentication method should be at least the number of users and groups in that directory, but will (for various implementation reasons) often be much higher. 

During intensive troubleshooting, it may be necessary to refresh or clear the directory cache.  Pressing the Refresh Cache button will clear any stale records and refresh the cache immediately.  Pressing Clear Cache will first clear all records and then perform the refresh.  This is useful primarily with Google Directory, since it is more aggressively cached.  The Clear Cache and Reload Services button will clear and refresh the cache, reload the authentication engine and content filter, and re-authenticate all active records.

All three of these operations (but particularly the last two) may put a temporary but significant load on the filter and any directory servers it is configured to use.  Additionally, some services (such as Google Directory) will rate-limit the filter if the cache is cleared/refreshed too frequently — please use these options with caution.

    • Related Articles

    • Manual

      This article provides links to the individual sections of the Cipafilter product manual.  A PDF of the Cipafilter product manual is attached to this article. Introduction Interface Conventions Installation Status Management Users Hot Spare ...
    • Manual - Introduction

      Cipafilter is a powerful routing platform capable of delivering an evolving tool set to protect your enterprise. Cipafilter's philosophy is to provide a cuing edge, well rounded, and aggressive network control solution to meet your current and future ...
    • Manual - OAuth Authentication

      This article is only applicable to firmware version 12.0 and later. For versions older than 12.0 please reference the documentation page accessible by clicking the "?" symbol next to the OAuth heading on your filter. OAuth is an HTTP-based ...
    • Manual - Web Filtering

      The first thing to decide with regard to Web filtering is whether to run individual subnets in transparent or non-transparent (proxy server) mode. Transparent mode  — no client configuration is required, the Cipafilter simply intercepts all traffic ...
    • Manual - Group Permissions

      Permissions for groups of users are managed here. Each group has individual settings for the different filtering technologies available, as well as a separate whitelist and blacklist. On this page, you can also edit the global whitelist and blacklist ...