Announcement

Collapse
No announcement yet.

Policies and Groups

Collapse
X
Collapse
 
  • Page of 2
  • Filter
  • Time
  • Show
Clear All
new posts
Previous 1 2 template Next
  • #1

    Policies and Groups

    Hi,

    So I made a security group within AD called "NxUsers" which I have applied the main policy to and I deployed NxLogon via a startup script, problem is it doesn't filter based on the group it seems to do it based on the IP of the client.

    Am I doing something wrong or is it meant to be that way?

    Thanks
    Tags: None
  • #2
    What do you mean by 'based on the IP of the client? Did you associate the users to IP addresses? We have Authentication Precedence: https://tutorial.nxfilter.org/doc/en...precedence.php

    Comment

    • #3
      So I'm trying to apply the policy based on the security group they are in

      Comment

      • #4
        Yeah, I know. You said 'based on the IP of the client'. If it means that you have IP associations for those users then they will by identified by the IP association. That's Authentication Precedence in NxFilter as you can enable multiple methods of user authentications.

        Comment

        • #5
          So the issue is when the login screen is presented and you enter credentials, then sign in as another user it does not prompt again until the pc is restarted so if you log in as another user it uses the same policy as the one you sign into the network with if that makes any sense?

          Comment

          • #6
            Yes. It works like that. Once you login using the login page, it creates an IP session and it doesn't know the user change in the PC. It's like you login to this forum but it doesn't get affcted by the user change in your PC. If you want to change the user in NxFilter, you need to logout first or login again.

            To login again: http://your-nxfilter-ip/login
            To logout: http://your-nxfilter-ip/logout

            If you do it automatically, you can set it as the first page of the user browser. Or you run Nslookup with Logout domain. https://tutorial.nxfilter.org/doc/en...-for-users.php

            A better approach is to use one of our SSO agents: https://tutorial.nxfilter.org/doc/en...on-methods.php

            Comment

            • #7
              Yeah, that makes sense. So I have deployed CxLogon to a test machine, it is installed and running.

              I have the following accounts for testing:

              - John.Doe (Only apart of Domain Users which appears on NxFilter as anon-grp)

              -local.admin (Is apart of support admins which is just to give local admin permissions on the PC, more importantly is in the NxUsers group which on the filter the policy linked to NxUsers is the main policy which blocks websites/categories)

              It still blocking for both users even though john.doe is not in the group linked to that policy, also since installing CxLogon it no longer brings up the login page (as expected) but seems to have no effect.

              Click image for larger version Name: image.png Views: 38 Size: 87.3 KB ID: 4015
              Click image for larger version Name: image.png Views: 31 Size: 44.1 KB ID: 4016
              I'm not sure how to change the default group - pictured below
              Click image for larger version Name: image.png Views: 25 Size: 16.2 KB ID: 4017
              Click image for larger version Name: image.png Views: 25 Size: 30.3 KB ID: 4018
              Click image for larger version Name: image.png Views: 28 Size: 29.8 KB ID: 4019

              Comment

              • #8
                Default Group is not for AD users. We can't interfere the user - group relations on the AD side. It's for the users and groups you create in NxFilter GUI.

                I guess CxLogon is not for you in this situation. It detects the first user from the Windows registry as far as I remember.

                What are you trying to achieve here? Is it about the terminal server? In that case, this IP seesion wouldn't work.

                If it's about sharing a PCs among multiple users. You'd better try NxLogon or VxLogon. They will pickup the logged-in username. However, I am not sure if it can handle Switch User in Windows.

                I think you can disable Switch User in GPO though. If you can disable it then NxLogon or VxLogon might be working.

                Another approach is to use Logout Domain in the logout script. 'nslookup logout.example.com' will delete the current IP session. The new users need to go through the login page always.

                You can define Logout Domain under 'System > Setup'.
                Last edited by support200; 10-18-2025, 04:37 AM.

                Comment

                • #9
                  Ah ok yeah so thats sorted the issue, just used NxLogon instead. Is it normal for it to prompt for the login page each time the user signs in?

                  Comment

                  • #10
                    If you run NxLogon, it picks up the current logged-in username and send it to NxFilter. So, no need to go through the login page. Do you see nxlogon in the task manager of the user pc?

                    Comment

                    • #11
                      Yeah NxLogon process shows in task manager however if i enable user authentication the login page still appears, if i disable it the login page does not appear (as expected) but if it's disabled even though NxLogon is running, the policy is not being enforced but if authentication is enabled and the user signs in then the policy is applied.

                      Comment

                      • #12
                        How do you get the login page? NxLogon is running and you try to access google.com and you get the login page? In that case, it's weird.

                        Try to see the info displayed in http://your-nxfilter-ip/welcome while NxLogon running.

                        And send a DNS query using Nslookup: nslookup google.com

                        If you still get the NxFilter IP as the answer, then send me the lof files under /nxfilter/log.

                        Comment

                        • #13
                          So (with NxLogon running) as previously mentioned, if i disable user authentication on the server then no login page is presented > enable it and theres the login page.

                          So in regards to the welcome page - see below

                          Click image for larger version Name: image.png Views: 64 Size: 313.9 KB ID: 4026

                          The user is different than the logged in user , for the nslookup - see below

                          Click image for larger version Name: image.png Views: 22 Size: 25.5 KB ID: 4027

                          Comment

                          • #14
                            So it's randomly started working without any changes being made, strange. However I will post a screenshot below as explaining things is not my strong-suit. But basically I have an AD security group which on NxFilter I have assigned a policy to, but users in that group do not have the policy enforced.

                            Click image for larger version Name: image.png Views: 26 Size: 67.2 KB ID: 4031

                            Click image for larger version Name: image.png Views: 27 Size: 68.6 KB ID: 4032

                            Click image for larger version Name: image.png Views: 22 Size: 26.7 KB ID: 4033

                            Comment

                            • #15
                              In that user list, clict the Eye button. That's the test button to show the current policy for users. The Policy in the list is from the user property not from User - Group relations. The current policy is determined in a real-time way as there are many factors to decide which policy to apply. Mutiple groups and work-time and free-time..

                              Your NxLogon problems has been solved? You may need to run it in CMD with '-d' option to see how it works. If I run it in CMD, I get this:
                              Code:
                              C:\Users\cpz1\Downloads\nxlogon-1.0-p1>nxlogon -d 192.168.0.103
uname: cpz1
62d032fdeb8c7a1a99600c23ef144980
                              And on the NxFilter end:
                              Code:
                               INFO ({LoginListener} LoginListener.java[_dealLogin]:57) [2025-10-19 08:11:07] - LoginListener._dealLogin, New login session by NxLogon request for 192.168.0.103, cpz1.
                              If you enable the debugging option on the NxFilter end, that'd be better: https://tutorial.nxfilter.org/doc/en...p#enable-debug

                              Comment

                              Previous 1 2 template Next
                              Working...
                              X