Considerations When Using Popup Authentication
Last modified on 14 August 2020 09:59 PM
This article relates to Popup Authentication. It’s worth reading more about Printing and Authentication with PaperCut and also more specifically Pop-up Authentication. It’s also worth knowing the difference between Identity and Authentication popups.
Alternatively: Are you having issues with the Pop-up not appearing?
What is Popup Authentication?
Popup Authentication is a feature in PaperCut which may be used when Protocol-Level Authentication is not available for user print jobs. Typically Popup Authentication is not used as the primary authentication mechanism but is used to support secondary printing services such as desktops that logon under a generic username (i.e. general access PCs in a library) or Mac systems where setting up an authenticated protocol may be beyond available system administration resources. Popup Authentication uses IP-address matching, which is explained in more detail below.
What is Protocol-Level Authentication?
The standard Windows print system is an example of printing using Protocol-Level Authentication. Before a user is able to print, they must be authenticated into the environment (generally a Active Directory domain). Any jobs submitted to the print queue is encapsulated within this authentication as part of the transmission protocol. Due to this, the username with the print event can be trusted for the purposes of accounting and security.
How does Popup Authentication work?
Popup Authentication matches the source IP address of the print job with the user confirmed to be operating from the popup client IP address. The workflow is as follows:
When should Popup Authentication be used?
As a general rule, Popup Authentication should only be used in low-volume, low-complexity scenarios when Protocol-Level Authentication has been ruled out. By its design, Protocol-Level Authentication is always the most secure and hence this is the reason why it is used in Windows and authenticated protocols such as HTTP, SSH or Novell’s iPrint protocol.
A good example of a situation where Protocol-Level Authentication is not ideal would be a public-access PC in a library set to auto-logon as the insecure, generic account “public”. In this case the Protocol-Level Authentication is passing through the insecure user of “public”. PaperCut’s client software and IP address authentication can overlay these insecure user credentials and request authentication from the user at the time of print via a popup.
What do I need to know when implementing Popup Authentication?
The following is a general guide to factors your System, Network and Security team should consider when implementing Popup Authentication:
Q Can you give me a real-life an example of the practical difficulties associated with Popup Authentication?
In 2012 one major university user of PaperCut in the USA was using Popup Authentication to support authentication on print jobs issued via the LPR protocol (for Unix desktop systems). This setup had been in place successfully for 5 years with no reported problems. The site’s networking team (independent of the server team responsible for PaperCut’s management) decided to make a few network infrastructure changes and enabled NAT for some subnets. The NATing caused a subtle set of authentication issues that took a number of days to detect and diagnose. During this time some jobs were incorrectly attributed.