Chapter 26. Print Authentication

Table of Contents

About Authentication and Printing
What is authentication?
Why does authentication pose a problem?
How does PaperCut NG address authentication?
Handling Unauthenticated (non-domain) Laptops
Option 1: Popup Authentication for Unauthenticated Laptops
Option 2: Release Station Authentication for Unauthenticated Laptops
The Authentication Cookbook - Recipes by example
Windows systems with generic logins
Windows laptops that do not authenticate against a domain
Windows print server using LDAP or eDirectory authentication
Mac OS X systems with generic user accounts
Mac OS X systems using domain authentication via Open Directory
Mac OS X systems using domain authentication via Windows Active Directory
Mac OS X laptops (or single user systems) printing to Windows print queues
Linux Workstations in a lab environment with printers hosted on a Windows server
Linux Workstations in a lab environment with printers hosted on Linux CUPS server
Linux laptops (or single user systems)
Multiuser Unix terminal servers
Further Recommendations

Modern large multiuser networks, like those typically seen in Higher Education, are made up of mix of operating systems, authentication methods, personal student laptops, print protocols and disparate networks. This heterogeneous mix poses problems for system administrators working towards a unified and centralized print management system. PaperCut NG sports an array of tools to help administrators meet their unification goals. PaperCut NG's flexibility is however a double-edged sword and the multitude of options also bring complexity. This section discusses cross-platform support in detail, and hopes to arm the reader with the knowledge needed to make the correct architecture decisions. Solutions are presented as "recipes" with the aim of directing the reader to appropriate procedures and other chapters.

The objective of a centralized and unified PaperCut NG system is to offer all users, irrespective of their operating system or access method, access to the full array of features in a secured and authenticated way. PaperCut NG offers cross-platform client software providing end-user features on all major operating systems, however the need for secured and authenticated access adds an extra, somewhat complex dimension.

About Authentication and Printing

What is authentication?

Authentication in a printing environment is the act of confirming the digital identity of the person who issued a print job. Knowledge of the user's identity allows PaperCut NG to offer the user access to functions such as allocating the cost of a job to their account, or offering them access to shared accounts. In a Windows domain environment, authentication is handled at the point of login using a username and password. A web-of-trust is then established between servers and services.

Why does authentication pose a problem?

By default PaperCut NG assumes the printer queues are authenticated and trusts the username that is associated with the print job. It is this user is charged for for the printing. On fully authenticated networks (like 100% Windows Active Directory networks), PaperCut NG can trust the username associated with the job. There are a few common scenarios where authentication is not as simple:

  1. Generic, common, or shared user accounts. (e.g. generic "student" login).

  2. Systems that auto-login as a set user.

  3. Unauthenticated print queues or print protocols (e.g. LPR).

  4. Users' personal laptops that are not authenticated on the network.

Generic or shared login accounts are seen in some computer lab and network environments. In these environments administrators ask users to log into selected systems using standard user names such as "student" or "user". This practice is particularly common on the Apple Mac operating system as a single login helps streamline system and application management. The use of the Window auto-login feature also poses a similar problem - authentication is not enforced at the time of system startup. An extra layer of authentication is required on these systems to correctly identify the person that performs printing.

Unauthenticated print queues also pose problems in cross platform environments. In an ideal world all computers would talk the same protocols and happily work together in a single centrally authenticated environment. We can come close to this goal in a 100% Microsoft Windows environment, however if we mix in Unix, Linux and Mac, it's a different story. Although initiatives such as CUPS (Common Unix Printing System) and the Internet Printing Protocol (IPP) offer some hope, unification in the area of authenticated printing is still some way off. Unfortunately technical reasons often prevent networks from using CUPS authentication or exclusively using the authenticated Microsoft printing protocol.

The use of personal laptops or other unauthenticated workstations in an otherwise authenticated network is another cause of problems. These machines may not be able to authenticate to your network for number of reasons:

  • The operating system does not support authentication (like Windows Home editions).

  • It is too complex to configure authentication on personal laptops.

  • Users log in to their laptop with their personnally chosen username and password.

  • You cannot force users to change the configuration of their personal laptops.

How does PaperCut NG address authentication?

If technical reasons prevent authentication at the print queue level, PaperCut NG provides a number of alternate authentication options. These options change PaperCut NG's default behavior of trusting the username associated with a print jobs, and instead the user will be required to re-authenticate before the job is printed. The two alternate authentication options are described below.

Popup Authentication (IP session based authentication)

This method involves associating the workstation's IP address with a user for a specified period of time - a session. Any print jobs arriving from this IP address are deemed to be associated with this user. Authentication is provided by the PaperCut NG client software in the form of a popup dialog requesting a username and password. Data is transmitted to the server via an SSL encrypted connection. To print with popup authentication the client software must be running on the workstations or laptops.

Popup authentication can be used to:

  • Authenticate users that print from a generic login or auto-login account. This is done by flagging the generic account as unauthenticated in PaperCut NG.

  • Authenticate users not authenticated to the network (e.g. personal laptop users). This is done by marking the print queues as unauthenticated in PaperCut NG.

PaperCut NG client requesting authentication

Figure 26.1. PaperCut NG client requesting authentication

More information on popup authentication can be found in the section called “Popup Authentication”.

Web Print

Web Print is a service for printing documents that are uploaded via a web browser. This provides a simple way to enable printing for laptop, wireless and anonymous users without the need to install print drivers.

With Web Print users are authenticated when they log into the PaperCut NG user web interface. Any documents they upload can then be tracked against their user name.

More information about Web Print is available in Chapter 20, Web Print (Driver-less printing via a web browser).

Release Station Authentication

Release stations work by placing print jobs in a holding queue. Users must authenticate at a release station before being given access to release their job. A release station normally takes the form of a dedicated terminal located next to the printer(s), however the holding queue may also be accessed via a web browser. The act of a user releasing a job causes it to be charged to their account. Release stations can be used without installing the client software on user's workstations.

The hold/release queues are enabled on a printer queue level within PaperCut NG

More information on setting up and using release stations is discussed in Chapter 10, Hold/Release Queues & Print Release Stations. To achieve authentication, the Release Station will be run in "release any" mode.

Choosing the right authentication option for your network

The choice of the authenticatation approach depends on the constraints of your network and your requirements. Below are some points to consider when making this decision:

  • Popup Authentication: Usually the most user-friendly option, but it requires the client software to be installed and running on all workstations that print. In some environments it is not possible to mandate that software be installed on personal laptops.

  • Release Station Authentication: Users do not need any additional software installed but the process of releasing a print job is more involved. You must install standard release stations nearby all your printers, or make use of the end-user web release station. If you are already using hold/release queues, then it makes sense to also use them for authentication.

Handling partially authenticated networks

Many sites have a heterogenous network with a mix of both authenticated an unauthenticated printing. A common example, is a college where all lab computers are connected to the domain and users must login to the workstations to print. The college also allows students to print using their personal laptops that are not authenticated on the network.

An administrator can choose to enable PaperCut NG authentication for all users. This is the simplest to set up but may be inconvenient for users who are already fully authenticated. Why should an authenticated user have to reauthenticate with PaperCut NG to print?

To overcome this it is recommended to set up two sets of print queues, one for the authenticated users and another for the unauthenticated users. These queues can point to the same physical printers, but are configured differently in both PaperCut NG and the operating system. The authenticated print queues:

  • Must only be accessible to authenticated users (i.e. through network security or operating system permissions).

  • Should not have the authentication enabled within PaperCut NG (i.e. do not enable the hold/release queue or unauthenticated printer options on the print queue).

  • Should not be published to unauthenticated users.

The unauthenticated print queues:

  • Must be configured to allow printing by unauthenticated users.

  • Must have the authentication enabled within PaperCut NG. i.e. Enable the hold/release queue or flag the printer as unauthenticated.

  • Must be published to anonymous users so they know how to connect/user the printers.

If the descision as been made to split up printers into two seprate queues (authenticated and unauthenticated), administrators can use tools such as IP address filtering, firewalls, or user/group access permissions to control who has access to which set of queues (i.e. deny "guest" account access on authenticated queues in Windows).

For a detailed explanation of setting up PaperCut NG for unauthenticated laptop printing see the section called “Handling Unauthenticated (non-domain) Laptops”

For discussion of many other authentication scenarios see the section called “The Authentication Cookbook - Recipes by example”