Allow authentication on block

Forum|Forum|10 years ago
November 2, 2015
3 replies
13091 views

We're a school environment, and I want to use a default web filtering policy for everyone, then allow faculty/staff to authenticate to have a less-restrictive filtering experience. Right now, the only way I can accomplish this is to set certain categories to "authenticate" instead of "block". The problem is that I have to set the authenticate rules for every individual category. What I would like instead is to have un-authenticated users able to browse the web freely until they encounter a blocked site, then be able to override or otherwise trigger authentication. Is this at all possible? Thanks!

gschmitt

New Member

cpattonsfs wrote:
We're a school environment, and I want to use a default web filtering policy for everyone, then allow faculty/staff to authenticate to have a less-restrictive filtering experience. Right now, the only way I can accomplish this is to set certain categories to "authenticate" instead of "block". The problem is that I have to set the authenticate rules for every individual category. What I would like instead is to have un-authenticated users able to browse the web freely until they encounter a blocked site, then be able to override or otherwise trigger authentication. Is this at all possible?

Not quite sure what it is you are asking.... you don't have to set all categories to auth. Just the ones you'd like users to authenticate to?

ede_pfau

SuperUser

If you look through the categories you'll notice there are a number of which are harmless in any respect ('tobacco', really?).

I can imagine that the administration of a school's FGT is difficult but to block everything is IMHO not the right way. You should get a resolution from your authorities which content needs to be blocked, so to say, a blacklist of categories. This is more of a legal problem than a technical one. If the list is a long one, bad luck, you'd have to set the 'override' status on each one.

cpattonsfsAuthor

New Member

Sorry, apparently I haven't been clear.

I don't wish to block EVERYTHING. My question has to do with when authentication is required.

As I understand it, this is the workflow that is required in order to use different filtering profiles, or to utilize the "override" command:

1) As soon as a device logs on, it must authenticate before it can even access the internet.

2) They are automatically assigned a profile based on their identity.

3) When a blocked page is encountered, if "Allow blocked override" is checked and users are in a group that is allowed to override, the page is displayed and the override remains in place for the amount of time specified in the settings.

STEP 1 is the problem here. I do not want ALL of my users to have to authenticate just so that a FEW can be assigned an alternate profile. Here's what I WANT to happen:

1) As soon as device logs on, it has immediate access to the internet and uses the default filtering profile.

2) When a blocked page is encountered, the user can authenticate, which will assign them the correct profile based on identity.

3) If a page is still blocked with the newly-assigned profile, the override function can be used, as above.

Right now I CAN accomplish this, by setting each category I want to block to "authenticate" instead of "block." The problem is that if, for example, I want to block 5 categories, then I have to manually change each one to "Authenticate" AND change the settings for each one. Not the end of the word, but just not ideal.

I guess this might be splitting hairs. I guess I was spoiled by the dedicated filtering appliance I'm used to, as this was easy to configure.