Solutions

A user logs in locally and gets a DHCP IP having access rights from another user that was using the same DHCP IP.

Solutions ID:    KB4255
Version:    1.0
Status:    Published
Published date:    01/18/2011
 

Problem Description

In some cases a user who logs in locally to a workstation and who is not supposed to have access to any websites through the ProxySG may sometimes have access to the websites even though the ProxySG policy says otherwise. This is because the user workstation is using a DHCP IP that was previously used by another user who had access rights to browse the websites.

This situation can occur in a Windows SSO environment (using Domain Controller Query).

Resolution

This is issue is caused by the settings in the sso.ini file below:

****************************************************************************
[DCQSetup]

; The number of seconds that a logon, found by querying the domain
; controller, should be considered valid. By default logons are
; valid until another user logons at the same IP address.

; Make logons valid for one day
; ValidTTL=86400

****************************************************************************

This setting is actually saying that a valid logon by default will be valid for one day or 24 hours.

Assuming User A is the user who logged in to a domain and who has rights to access the websites.
User B is the user who logged in locally (not to a domain) to the workstation and who is not supposed to have rights to access the websites.

In the scenario below:

1. User A logs in to a domain and browses a website as usual. Then he logs off.
2. User A DHCP IP expires.
3. User B logs in locally (not to a domain) to a workstation and the workstation gets a DHCP IP that was previously owned by User A workstation.
4. The above happened within one day or 24 hours.

This has allowed User B to browse the website even though he is not supposed to.

When User B tries to browse the Internet through the ProxySG, the ProxySG sends the client IP to the BCAAA agent server. BCAAA then responds that the IP is in the 'Ip-to-User' table (since this IP is still valid) and informs the ProxySG that the IP mapped to User A. Because  User A has access to the website based on the ProxySG policy. Neither the ProxySG or BCAAA are aware of User B's username because he logged in locally.
 


Rate this Page

Please take a moment to complete this form to help us better serve you.

Did this document help answer your question?
 
 
If you are finished providing feedback, please click the RATE CONTENT button. Otherwise, please add more detail in the following text box and then click RATE CONTENT.
 
 

Your response will be used to improve our document content.

Ask a Question