Authentication: Single-Sign On for Astaro Authentication Agent
Expand the Astaro Authentication Agent to (optionally) use the currently logged on Windows credentials instead of manually entering credentials.
Every enterprise, university, or other large corporation has multi user computers. It would only make sense to have multi user support added to the AAA client. By default it should not install into the user's profile. It should be a workstation installation and you should have the option of installing it for all users like most programs have.
An added bonus would be if the user didn't have to enter in their credentials, the credentials would be pulled from the machine using the SSO features and automatically entered into the AAA client.
Astaro provides an authentication client for Windows so that users directly authenticate at the ASG.
Users who want or should use Client Authentication need to install the Astaro Authentication Agent (AAA) on their client PC.
My idea, suggestion, is to use SSO for this. Like how users are authenticated for the webproxy.
AAA is out now with static manual login. It would be good to sign in with SSO or with certs, like SSL-VPN works.
I work in a heavy leveraged Terminal Services Environment and have just purchased a UTM320 - this is a MUST feature - getting a user to double log-in is simply just a waste of time and a display that SSO is an incorrect name for the feature that should be correctly called Active Directory Integration.
and also allow to run the Sophos Authentication Agent to run in multi user environments WITHOUT admin rights. it is not ready for larger environments as it is now. no company grants admin privileges to users.
Joel Alfredo commented
I agree this would be appreciated. It would be good also to be able to specify to the agent the UTM IP address. Right now, this agent only works if it´s connected in the same VLAN as the UTM. We have captured some traffic and it connects to the IP 22.214.171.124, and the UTM uses this IP to communicate to agents, but it only works in the same broadcast domain.
This would be highly appreciated.
i'm interested in this as well, right now a "client" that asks for credentials again is not a useful/valid option for a windows domain at all (i'll so far say it' useless as people will change passwords, mistype it in the AAA and all kinds of bad things), i was under the impression the AAA collected the logged in username and sent it to Astaro, but it annoys people with a popup asking for credentials...
Stephen Norman commented
This would also be useful to see on OS X now that the authentication agent is going to be available in Sophos UTM 9.1.
Marcus Schenk commented
We'd like this too, since AAA should be very easy for the end user and having to enter a password every login is annoying for them so they won't accept it. Acceptance would be greater if we stored the password, but in a policy based AD network where passwords are changed every x months you cannot have multiple users to always keep their stored passwords in sync. Other than that I dont know if it's a security risk to have this password stored, dont know what technique is used by sophos. So SSO for AAA would be highly appreciated!
Since eDir SSO is so broken (eDir's fault) this is still on the top of my needs list. Any chance this will ever happen?
Kevin Salisbury commented
The Winlogon idea seems like a good one even for those of us on Linux and/or eDirectory.
Ludovic Peny commented
Maybe a Winlogon compatibility to allow to the agent to catch the credentials at the login prompt.
Eventually the SAA can also be a feature of the UTM Endpoint.
Kris Hanson commented
This would add the flexibility one of our customers requires...otherwise it is a feature we cannot look to at this time...
This way this authentication could be used also for other features in the NSG : associated users to FW rules for example, include authentication for ssh connections, ...
If the AAA don't have Multi-user support the Astaro firewall is useless for schools...
Bob Alfson commented
This is especially important to opportunities with larger companies.
We need to be able to use "Backend Group (User Group Network)" objects in Firewall, Application Control, QoS, etc. rules without syncing users to the ASG.
In the world of Microsoft and AD domains, this feature is a must if any web filtering is to be logged appropriately. Please help make this more of a priority.
Stephen W commented
It would also be nice if the Astaro Agent installed as a Windows Service to Authenticate the logged on user. I have workstations with multiple users and each one has to install the Astaro Agent as it installs in the Users Profile.
I know a certain other product does this by running an agent on the DC - it detects event log entries that map IP address to username based on logon and logoff. The agent then sends those to the web filter appliance. This is probably not perfect, but seems to run alot more smoothly than what we have astaro doing today. It would be alot more transparent to the users too.
Andreas Gunleikskaas commented
Just starting to look at AAA now, but it would be great if it could use windows/domain credentials.
If the client should be distributed on a network the installation should be possible to run silent. Maybe it is possible already, but havent found any info about it yet.