User Auth working as Session Auth

[sergioaf]

Hello,

I just helped a customer to configure User Authentication for HTTP for a small group of users that reside on a DMZ. We created the users (with CP password authentication), the group of users and the rule on which that group (restricted to the DMZ network) is the source, the destination is any, the service is HTTP and the action has User Authentication, on which we selected the option "HTTP: All servers" in opposition of the default "predefined servers".

When the users try to browse a web page, they get the authentication challenge and they get authenticated ok, but then every time they click on a new link, the challenge window comes up again and they have to authenticate one more time in order to continue. Seems like even when it is User Authentication, its behaving like Session Authentication.

We checked the User Authentication Session Time out and it is on the default setting of 15 minutes both on Global Properties and the gateway object, which by the way is an active/standby HA pair.

Everything is NGX R61 and runs over SPLAT.

Has anyone seen this before? I don't seem to find an answer on the SK.

Thanks in advance for the help.

Regards

[sergioaf]

Sorry, I just learned that in particular is the expected behavior when doing User Authentication with HTTP. I was under the impression that only Session Authentication would work like that.

We switched to Client Auth and got the expected results.

[BarryStiefel]

Quote:

Originally Posted by sergioaf

Hello,

I just helped a customer to configure User Authentication for HTTP for a small group of users that reside on a DMZ. We created the users (with CP password authentication), the group of users and the rule on which that group (restricted to the DMZ network) is the source, the destination is any, the service is HTTP and the action has User Authentication, on which we selected the option "HTTP: All servers" in opposition of the default "predefined servers".

When the users try to browse a web page, they get the authentication challenge and they get authenticated ok, but then every time they click on a new link, the challenge window comes up again and they have to authenticate one more time in order to continue. Seems like even when it is User Authentication, its behaving like Session Authentication.

We checked the User Authentication Session Time out and it is on the default setting of 15 minutes both on Global Properties and the gateway object, which by the way is an active/standby HA pair.

Everything is NGX R61 and runs over SPLAT.

Has anyone seen this before? I don't seem to find an answer on the SK.

Thanks in advance for the help.

Regards

User Authentication demands authentication for every single new TCP connection. Your browser will cache these credentials and silently provide them for you if you open another connection to the same server. If you close your browser, or time out, or go to a new web server, you must authenticate again.

This is why User Authentication is described as "Secure but intrusive". In real life, it's way too much of a pain to use for HTTP.