About authentication and printing
Authentication in a printing environment is the act of confirming the digital identity of the person who issued a print job. Knowledge of the user’s identity allows PaperCut NG/MF to offer the user access to functions such as allocating the cost of a job to their account, or offering them access to shared accounts. In a Windows domain environment, authentication is handled at the point of login using a username and password. A web-of-trust is then established between servers and services.
By default PaperCut NG/MF assumes the printer queues are authenticated and trusts the username that is associated with the print job. It is this user is charged for for the printing. On fully authenticated networks (like 100% Windows Active Directory networks), PaperCut NG/MF can trust the username associated with the job. There are a few common scenarios where authentication is not as simple:
Generic, common, or shared user accounts. (e.g. generic “student” login).
Systems that auto-login as a set user.
Unauthenticated print queues or print protocols (e.g. LPR).
Users’ personal laptops that are not authenticated on the network.
Generic or shared login accounts are seen in some computer lab and network environments. In these environments administrators ask users to log in to selected systems using standard user names such as “student” or “user”. This practice is particularly common on the Apple Mac operating system as a single login helps streamline system and application management. The use of the Window auto-login feature also poses a similar problem - authentication is not enforced at the time of system startup. An extra layer of authentication is required on these systems to correctly identify the person that performs printing.
Unauthenticated print queues also pose problems in cross platform environments. In an ideal world, all computers would talk the same protocols and happily work together in a single centrally authenticated environment. You can come close to this goal in a 100% Microsoft Windows environment, however, if you mix in Unix, Linux and Mac, it’s a different story. Although initiatives such as CUPS (Common Unix Printing System) and the Internet Printing Protocol (IPP) offer some hope, unification in the area of authenticated printing is still some way off. Unfortunately technical reasons often prevent networks from using CUPS authentication or exclusively using the authenticated Microsoft printing protocol.
The use of personal laptops or other unauthenticated workstations in an otherwise authenticated network is another cause of problems. These machines might not be able to authenticate to your network for a number of reasons:
The operating system does not support authentication (like Windows Home editions).
It is too complex to configure authentication on personal laptops.
Users log in to their laptop with their personnally chosen username and password.
You cannot force users to change the configuration of their personal laptops.
If technical reasons prevent authentication at the print queue level, PaperCut NG/MF provides a number of alternate authentication options. These options change PaperCut NG/MF’s default behavior of trusting the username associated with a print jobs, and instead the user is required to re-authenticate before the job is printed. The two alternate authentication options are described below.
Popup authentication (IP session based authentication)
This method involves associating the workstation’s IP address with a user for a specified period of time - a session. Any print jobs arriving from this IP address are deemed to be associated with this user. Authentication is provided by the PaperCut NG/MF client software in the form of a popup dialog requesting a username and password. Data is transmitted to the server via an SSL encrypted connection. To print with popup authentication the client software must be running on the workstations or laptops.
Use popup authentication to:
Authenticate users who print from a generic login or auto-login account. This is done by flagging the generic account as unauthenticated in PaperCut NG/MF.
Authenticate users not authenticated to the network (e.g. personal laptop users). This is done by marking the print queues as unauthenticated in PaperCut NG/MF.
For more information, see Popup authentication.
Web Print is a service for printing documents that are uploaded via a web browser. This provides a simple way to enable printing for laptop, wireless, and anonymous users without installing print drivers.
With Web Print users are authenticated when they log in to the PaperCut NG/MF user web interface. Any documents they upload can then be tracked against their user name.
For more information, see Web Print (driver-less printing via a web browser).
Release Station authentication
Release Stations work by placing print jobs in a holding queue. Users must authenticate at a Release Station before being given access to release their job. A Release Station normally takes the form of a dedicated terminal located next to the printer(s), however, the holding queue can also be accessed via a web browser. The act of a user releasing a job causes it to be charged to their account. You can use Release Stations without installing the client software on user’s workstations.
The hold/release queues are enabled on a printer queue level within PaperCut NG/MF
For more information on setting up and using Release Stations, see Secure print release. To achieve authentication, the Release Station is run in “release any” mode.
Choosing the right authentication option for your network
The choice of the authentication approach depends on the constraints of your network and your requirements. Below are some points to consider when making this decision:
Popup authentication: Usually the most user-friendly option, but it requires the client software to be installed and running on all workstations that print. In some environments it is not possible to mandate that software be installed on personal laptops.
Release Station Authentication: Users do not need any additional software installed but the process of releasing a print job is more involved. You must install Standard Release Stations nearby all your printers, or make use of the User web interface Release Station. If you are already using hold/release queues, then it makes sense to also use them for authentication.
Handling partially authenticated networks
Many sites have a heterogenous network with a mix of both authenticated an unauthenticated printing. A common example, is a college where all lab computers are connected to the domain and users must log in to the workstations to print. The college also allows students to print using their personal laptops that are not authenticated on the network.
An administrator can enable PaperCut NG/MF authentication for all users. This is the simplest to set up but is inconvenient for users who are already fully authenticated. Why should an authenticated user have to re-authenticate with PaperCut NG/MF to print?
To overcome this it is recommended to set up two sets of print queues, one for the authenticated users and another for the unauthenticated users. These queues can point to the same physical printers, but are configured differently in both PaperCut NG/MF and the operating system. The authenticated print queues:
Must only be accessible to authenticated users (i.e. through network security or operating system permissions).
Should not have the authentication enabled within PaperCut NG/MF (i.e. do not enable the hold/release queue or unauthenticated printer options on the print queue).
Should not be published to unauthenticated users.
The unauthenticated print queues:
Must be configured to allow printing by unauthenticated users.
Must have the authentication enabled within PaperCut NG/MF. i.e. Enable the hold/release queue or flag the printer as unauthenticated.
Must be published to anonymous users so they know how to connect/user the printers.
If the decision as been made to split up printers into two separate queues (authenticated and unauthenticated), administrators can use tools such as IP address filtering, firewalls, or user/group access permissions to control who has access to which set of queues (i.e. deny “guest” account access on authenticated queues in Windows).
For a detailed explanation of setting up PaperCut NG/MF for unauthenticated laptop printing see Handling unauthenticated (non-domain) laptops
For discussion of many other authentication scenarios see The authentication cookbook - recipes by example