Problem
When designing authentication models on a Smoothwall, shared iPads pose a challenge. Since there are no user logins on iOS, authenticating users automatically can't be done. Generally iOS has no idea of who the user is.
For personal iOS devices, using 802.1x authentication via RADIUS is the preferred option, but this is not suitable for shared devices.
The only remaining option is to log into the Smoothwall manually using the user login page. When this option is used, users will be logged in for a set, configurable amount of time. This can lead to wrong identification of the active user if a device switches hands before the login timeout.
In addition, having to log in on the capture portal page every time a device is picked up, can be an annoyance as well.
Solution
When discussing these issues, one school explained that they were really only interested in logging the user's name, when they tried accessing material outside the "sandbox", the list of applications and resources that they were expected to be using during normal class. Together we designed a process that would minimize the inconvenience to the end user and also the risk of wrong identification.
We created a user group and gave it the permissions for sandbox access. That involved a few steps:
- Create a policy set for the new user group that would block access to any categories outside the sandbox.
- Set the proxy that the iPads were using to use the authentication method called "Core authentication" and give unauthenticated requests permissions as the new user group.
- Create a blockpage for the new user group and enable the option to show the login page button. Add text to the blockpage to state for how long they will be logged in and that they should log out manually once done, using the shortcut described below or bookmark the login page so they can go back to this and log out.
- Use the MDM (if available) to place a shortcut to the Smoothwall login page on the screen.
The idea behind this is that students will be able to pick up the iPads and go about their daily business with no login required. As long as they stay within the bounds of the sandbox, iPads will function normally.
Once they move outside those bounds, they will be greeted with a block page. The block page gives them the option to log in and continue to the site they want to visit, if that is allowed when they browse as a user who is logged in.
The shortcut to the login page on the main screen can then be used to manually log out once they are done.
While not perfect, this does minimize the logins required, tracks users outside the sandbox usage and gives them the logout option once they are done.