Steve: /* One-to-one devices */

2024-05-21T09:45:40Z

One-to-one devices

← Older revision		Revision as of 10:45, 21 May 2024
Line 1:		Line 1:
	== One-to-one devices ==		== One-to-one devices ==
	This section covers devices which are always used by the same user, such as devices deployed in a one-to-one arrangement or bring your own device. Scroll down for information regarding [[Microsoft Windows Configuration#Shared devices\|Shared devices]] and [[Microsoft Windows Configuration#Multiuser servers\|Multiuser servers]].		This section covers devices which are not joined to the Windows domain and always used by the same user, such as devices deployed in a one-to-one arrangement or bring your own device. Scroll down for information regarding [[Microsoft Windows Configuration#Shared devices\|Shared devices]] (including domain-joined) and [[Microsoft Windows Configuration#Multiuser servers\|Multiuser servers]].

	* If possible, configure your wireless network to use 802.1x (WPA-Enterprise) authentication and to [[RADIUS#Linking%20a%20network%20access%20controller%20to%20the%20Opendium%20system\|send RADIUS accounting data]] to the Opendium system. Set the [[Web: Permissions & Limits#User%20identification\|User Identification]] mode to ''RADIUS''. If 802.1x authentication cannot be used, Set the [[Web: Permissions & Limits#User%20identification\|User Identification]] mode to ''Single User Devices''.		* If possible, configure your wireless network to use 802.1x (WPA-Enterprise) authentication and to [[RADIUS#Linking%20a%20network%20access%20controller%20to%20the%20Opendium%20system\|send RADIUS accounting data]] to the Opendium system. Set the [[Web: Permissions & Limits#User%20identification\|User Identification]] mode to ''RADIUS''. If 802.1x authentication cannot be used, Set the [[Web: Permissions & Limits#User%20identification\|User Identification]] mode to ''Single User Devices''.

Steve: Created page with "== One-to-one devices == This section covers devices which are always used by the same user, such as devices deployed in a one-to-one arrangement or bring your own device. Scroll down for information regarding Shared devices and Multiuser servers. * If possible, configure your wireless network to use 802.1x (WPA-Enterprise) authentication and to RADIUS#Linking%20a..."

2022-10-13T10:39:49Z

Created page with "== One-to-one devices == This section covers devices which are always used by the same user, such as devices deployed in a one-to-one arrangement or bring your own device. Scroll down for information regarding Shared devices and Multiuser servers. * If possible, configure your wireless network to use 802.1x (WPA-Enterprise) authentication and to RADIUS#Linking%20a..."

New page

== One-to-one devices ==
This section covers devices which are always used by the same user, such as devices deployed in a one-to-one arrangement or bring your own device. Scroll down for information regarding [[Microsoft Windows Configuration#Shared devices|Shared devices]] and [[Microsoft Windows Configuration#Multiuser servers|Multiuser servers]].

* If possible, configure your wireless network to use 802.1x (WPA-Enterprise) authentication and to [[RADIUS#Linking%20a%20network%20access%20controller%20to%20the%20Opendium%20system|send RADIUS accounting data]] to the Opendium system. Set the [[Web: Permissions & Limits#User%20identification|User Identification]] mode to ''RADIUS''. If 802.1x authentication cannot be used, Set the [[Web: Permissions & Limits#User%20identification|User Identification]] mode to ''Single User Devices''.
* If you are using 802.1x and RADIUS accounting, log the device onto the network with the user's credentials.
* If you are not using 802.1x and RADIUS accounting, the user must use the captive portal to authenticate.

If the network's [[Web: Permissions & Limits#HTTPS%20decryption|HTTPS Decryption]] mode is set to ''Active'', you must install your unique Opendium inspection certificate:

* Browse to https://''<your Opendium host name>''/opendium.crt (This URI is displayed on the [[Web]] tab).
* Go to ''Downloads.''
* Double click the certificate.
* Click ''Install Certificate'', which will launch the Certificate Import Wizard.

[[File:Windows Certificate Import Wizard.png|alt=Windows Certificate Import Wizard|center|frame|Windows Certificate Import Wizard]]

* Select ''Local Machine'' and click ''Next''.

[[File:Windows Import Certificate Wizard - Local Machine.png|alt=Windows Import Certificate Wizard - Importing into Local Machine|center|frame|Windows Import Certificate Wizard - Importing into Local Machine]]

* Click ''Yes'' in the User Account Control box which pops up.

[[File:Windows Import Certificate - User Account Control.png|alt=User Account Control popup|center|frame|User Account Control popup]]

* Select ''Place all certificates in the following store'' and click ''Browse''
* Select ''Trusted Root Certification Authorities'' and click ''Ok''.

[[File:Windows - Select Certificate Store.png|alt=Select certificate store|center|frame|Select certificate store]]

* Click ''Next'' in the Certificate Import Wizard.

[[File:Windows Certificate Import Wizard - Import into Trusted Root Certification authorities.png|alt=Import into Trusted Root Certification authorities|center|frame|Import into Trusted Root Certification authorities]]

* The final page of the wizard lets you review your settings. Click ''Finish'' and the certificate will be imported.

[[File:Windows Import Certificate Wizard - Finish.png|alt=Windows Import Certificate Wizard - Finish|center|frame|Windows Import Certificate Wizard - Finish]]

* A security warning will be displayed saying that Windows cannot validate the certificate. This is normal, click ''Yes''.

[[File:Windows cannot validate certificate.png|alt=Security warning|center|frame|Security warning]]

* The Certificate Import Wizard will pop up a box announcing that the certificate was successfully imported.

[[File:Windows Certificate Import Wizard - Success.png|alt=Windows Certificate Import Wizard - Success|center|frame|Windows Certificate Import Wizard - Success]]

=== Troubleshooting ===
These instructions explain how to confirm that the Opendium inspection certificate is installed on a stand alone Windows machine. Windows versions 8 and 8.1 have a different style start menu to Windows versions 7 and 10, but the procedure is the same in all cases.

* Click ''Start'' or press the Windows key, then type ''mmc'' and click the ''mmc'' command.

[[File:Run mmc.png|alt=Search for mmc|center|frame|Search for mmc]]
[[File:Run mmc 2.png|alt=Run mmc|center|frame|Run mmc]]

* If a ''User Account Control'' dialog pops up asking if you would like to allow Microsoft Management Console to make changes, click ''Yes''.

[[File:User Account Control - mmc.png|alt=User Account Control|center|frame|User Account Control]]

* Microsoft Management Console will then start, go to ''File -> Add/Remove Snap-in...''

[[File:Mmc Add-Remove Snap-in.png|alt=Add/Remove Snap-in|center|frame|Add/Remove Snap-in]]

* Add the certificate snap-in by double clicking or highlighting ''Certificates'' and clicking ''Add''.

[[File:Mmc Add certificates Snap-in.png|alt=Add certificates Snap-in|center|frame|Add certificates Snap-in]]

* Select the ''Computer account'' radio button and click ''Next''.

[[File:Manage certificates for computer account.png|alt=Manage certificates for computer account|center|frame|Manage certificates for computer account]]

* Leave the ''Local computer'' radio button selected and click ''Finish''.

[[File:Select local computer.png|alt=Select local computer|center|frame|Select local computer]]

* You should now see ''Certificates (Local Computer)'' in the right hand pane.

[[File:Certificates snap-in installed for local computer.png|alt=Certificates snap-in installed for local computer|center|frame|Certificates snap-in installed for local computer]]

* Click ''Ok'', which will take you back to MMC and should show ''Certificates (Local Computer)'' in the left hand pane.

[[File:Mmc Certificates for Local Computer.png|alt=Certificates (Local Computer)|center|frame|Certificates (Local Computer)]]

* Select ''Certificates (Local Computer) -> Trusted Root Certification Authorities -> Certificates''
* You should see the Opendium certificate listed in the right hand pane.

[[File:Mmc Opendium certificate.png|alt=Opendium certificate in mmc|center|frame|Opendium certificate in mmc]]

* For more details, double click the certificate and click the ''Details'' tab.

[[File:Inspection Certificate Details.png|alt=Inspection certificate details|center|frame|Inspection certificate details]]

== Shared devices ==
This section covers devices which are shared between multiple users (one user logged in at a time). Scroll down for information regarding [[Microsoft Windows Configuration#Multiuser servers|multiuser servers]].

=== Devices on the Windows domain ===
Client devices '''must''' use your non-transparent proxy, as this is a requirement of the Kerberos single signon protocol. We recommend using automatic proxy discovery wherever possible.

* The network that the device is being connected to should have [[Web: Permissions & Limits#Autoconfigure%20devices%20to%20use%20the%20proxy|Autoconfigure devices to use the proxy]] ticked in [[Web: Permissions & Limits|Permissions & Limits]].
* Ensure that the [[Installation Requirements#Internal%20DNS%20configuration|''wpad'' DNS records]] have been created on your internal domain.
* Ensure that your DHCP scopes are [[Installation Requirements#DHCP|correctly configured]].
* Group Policy should have no web proxy servers set, and "Automatically detect settings" should be ticked.

* The network that the device is being connected to should have its user identification profile set to ''Workstations''.

If the network's [[Web: Permissions & Limits#HTTPS%20decryption|HTTPS Decryption]] mode is set to ''Active'', you must install your unique Opendium inspection certificate. This is usually done through Group Policy:

* Browse to https://''<your Opendium host name>''/opendium.crt (This URI is displayed on the [[Web]] tab).
* Go to administrative tools on your domain controller and open ''Group Policy Management''.

[[File:Open Group Policy Management.png|alt=Open Group Policy Management|center|frame|Open Group Policy Management]]

* Right click and edit ''Default Domain Policy'' within your domain.

[[File:Right click Default Domain Policy.png|alt=Right click Default Domain Policy|center|frame|Right click Default Domain Policy]]

* Select ''Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Public Key Policies -> Trusted Root Certification Authorities''.

[[File:GPO select Trusted Root Certification Authorities.png|alt=GPO select Trusted Root Certification Authorities|center|frame|GPO select Trusted Root Certification Authorities]]

* Right-click the right hand pane and click ''Import...'', which will start the certificate import wizard.

[[File:GPO start import wizard.png|alt=Start Certificate Import Wizard|center|frame|Start Certificate Import Wizard]]

* Click ''Next'' on the first page of the import wizard.

[[File:GPO Certificate Import Wizard.png|alt=Certificate Import Wizard|center|frame|Certificate Import Wizard]]

* Enter the file name of the new certificate, or use the ''Browse'' button to select it and click ''Next''.

[[File:Certificate Import Wizard - Browse.png|alt=Browse for the certificate file|center|frame|Browse for the certificate file]]

* The certificate location should be shown as ''Trusted Root Certification Authorities''. If not, use the ''Browse'' button to set the store to ''Trusted Root Certification Authorities'' or ''Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Public Key Policies -> Trusted Root Certification Authorities'', and then click ''Next''.

[[File:Windows Certificate Import Wizard - Import into Trusted Root Certification authorities.png|alt=Import into Trusted Root Certification Authorities|center|frame|Import into Trusted Root Certification Authorities]]

* The final page of the wizard lets you review your settings. Click ''Finish'' and the certificate will be imported into the GPO and it should then distribute across your domain.

[[File:Windows Import Certificate Wizard - Finish.png|alt=Windows Import Certificate Wizard - Finish|center|frame]]

===Stand alone devices===
Shared devices which are not connected to the Windows domain must authenticate through the captive portal:
*Configure your wireless network to use 802.1x (WPA-Enterprise) authentication and to [[RADIUS#Linking%20a%20network%20access%20controller%20to%20the%20Opendium%20system|send RADIUS accounting data]] to the Opendium system.
*Set the [[Web: Permissions & Limits#User%20identification|User Identification]] mode to ''RADIUS''.
*Log the device onto the network with a user name that starts with "op-shared-". For example, "op-shared-windows". This user must exist on the Opendium system.
*The user must use the captive portal to authenticate.
*When the user has finished with the device, they must disconnect from the wifi (i.e. turn wifi off on the device, shut down the device, or place the device in a shielded box/cupboard).
If the network's [[Web: Permissions & Limits#HTTPS%20decryption|HTTPS Decryption]] mode is set to ''Active'', you must install your unique Opendium inspection certificate. See the instructions above in the [[Microsoft Windows Configuration#One-to-one devices|One-to-one devices]] section.

Shared stand alone Windows devices cannot be supported on networks which do not support 802.1x and RADIUS accounting. If your network cannot support 802.1x, the only option is to disable [[Web: Permissions & Limits#User%20identification|User Identification]].

=== Troubleshooting ===
Shared devices on the Windows domain should transparently authenticate using Kerberos single sign-on. If the device pops up authentication boxes rather than automatically authenticating, check that the clock on both the device and the domain controller are correct. The Opendium server provides an NTP service and we recommend that your machines use this to keep their clocks synchronised.

== Multiuser Servers ==
This section covers servers which allow logins for multiple concurrent users, and are connected to the Windows domain. If the machine is not on the Windows domain, the only option is to disable [[Web: Permissions & Limits#User%20identification|User Identification]].

Client devices '''must''' use your non-transparent proxy, as this is a requirement of the Kerberos single signon protocol. We recommend using automatic proxy discovery wherever possible.

* The network that the device is being connected to should have [[Web: Permissions & Limits#Autoconfigure%20devices%20to%20use%20the%20proxy|Autoconfigure devices to use the proxy]] ticked in [[Web: Permissions & Limits|Permissions & Limits]].
* Ensure that the [[Installation Requirements#Internal%20DNS%20configuration|''wpad'' DNS records]] have been created on your internal domain.
* Ensure that your DHCP scopes are [[Installation Requirements#DHCP|correctly configured]].
* Group Policy should have no web proxy servers set, and "Automatically detect settings" should be ticked.

* The network that the device is being connected to should have its user identification profile set to ''Multiuser Servers''.

If the network's HTTPS interception mode is set to ''Active'', you must install your unique Opendium interception certificate. This should be done through Windows Group Policy. See the instructions above in the [[Microsoft Windows Configuration#Shared devices|Shared devices]] section.

=== Limitations ===

* Not all applications respect the proxy server settings and traffic for such software is instead caught by the transparent proxy and it is not possible to authenticate this traffic. Most of the user identification modes expect only one user to be logged into each device at any one time and can therefore infer which user the unauthenticated traffic belongs to based on recently authenticated traffic from the same device. Inferring traffic ownership in this way is not possible for systems that have multiple concurrent users, and therefore transparent proxy traffic from ''Multiuser Servers'' will not have an owner associated with it. Therefore, transparent proxy traffic will not be logged against an individual user, and will be filtered according to the ''Unidentified Users'' section of the [[Web: Policy Modelling|Policy Modelling]] report.
* Not all applications support authenticated web proxy servers, and of those which do, some do not support Kerberos single signon. Many of the user identification profiles use heuristics to prevent broken software from being required to authenticate, and instead infer the traffic's ownership as described above. When the profile is set to ''Multiuser Servers'' these heuristics are disabled and all software using the non-transparent proxy is required to authenticate. This may result in some applications failing to connect to the internet, or spurious pop-up authentication boxes.

[[Category:Client Configuration]]

Microsoft Windows Configuration - Revision history

Steve: /* One-to-one devices */