Table of Contents
Modern large multiuser networks, like those typically seen in Higher Education, are made up of mix of operating systems, authentication methods, personal student laptops, print protocols and disparate networks. This heterogeneous mix poses problems for system administrators working towards a unified and centralized print management system. PaperCut MF sports an array of tools to help administrators meet their unification goals. PaperCut MF's flexibility is however a double-edged sword and the multitude of options also bring complexity. This section discusses cross-platform support in detail, and hopes to arm the reader with the knowledge needed to make the correct architecture decisions. Solutions are presented as "recipes" with the aim of directing the reader to appropriate procedures and other chapters.
The objective of a centralized and unified PaperCut MF system is to offer all users, irrespective of their operating system or access method, access to the full array of features in a secured and authenticated way. PaperCut MF offers cross-platform client software providing end-user features on all major operating systems, however the need for secured and authenticated access adds an extra, somewhat complex dimension.
Authentication in a printing environment is the act of confirming the digital identity of the person who issued a print job. Knowledge of the user's identity allows PaperCut MF to offer the user access to functions such as allocating the cost of a job to their account, or offering them access to shared accounts. In a Windows domain environment, authentication is handled at the point of login using a username and password. A web-of-trust is then established between servers and services.
By default PaperCut MF assumes the printer queues are authenticated and trusts the username that is associated with the print job. It is this user is charged for for the printing. On fully authenticated networks (like 100% Windows Active Directory networks), PaperCut MF can trust the username associated with the job. There are a few common scenarios where authentication is not as simple:
Generic, common, or shared user accounts. (e.g. generic "student" login).
Systems that auto-login as a set user.
Unauthenticated print queues or print protocols (e.g. LPR).
Users' personal laptops that are not authenticated on the network.
Generic or shared login accounts are seen in some computer lab and network environments. In these environments administrators ask users to log into selected systems using standard user names such as "student" or "user". This practice is particularly common on the Apple Mac operating system as a single login helps streamline system and application management. The use of the Window auto-login feature also poses a similar problem - authentication is not enforced at the time of system startup. An extra layer of authentication is required on these systems to correctly identify the person that performs printing.
Unauthenticated print queues also pose problems in cross platform environments. In an ideal world all computers would talk the same protocols and happily work together in a single centrally authenticated environment. We can come close to this goal in a 100% Microsoft Windows environment, however if we mix in Unix, Linux and Mac, it's a different story. Although initiatives such as CUPS (Common Unix Printing System) and the Internet Printing Protocol (IPP) offer some hope, unification in the area of authenticated printing is still some way off. Unfortunately technical reasons often prevent networks from using CUPS authentication or exclusively using the authenticated Microsoft printing protocol.
The use of personal laptops or other unauthenticated workstations in an otherwise authenticated network is another cause of problems. These machines may not be able to authenticate to your network for number of reasons:
The operating system does not support authentication (like Windows Home editions).
It is too complex to configure authentication on personal laptops.
Users log in to their laptop with their personnally chosen username and password.
You cannot force users to change the configuration of their personal laptops.
If technical reasons prevent authentication at the print queue level, PaperCut MF provides a number of alternate authentication options. These options change PaperCut MF's default behavior of trusting the username associated with a print jobs, and instead the user will be required to re-authenticate before the job is printed. The two alternate authentication options are described below.
This method involves associating the workstation's IP address with a user for a specified period of time - a session. Any print jobs arriving from this IP address are deemed to be associated with this user. Authentication is provided by the PaperCut MF client software in the form of a popup dialog requesting a username and password. Data is transmitted to the server via an SSL encrypted connection. To print with popup authentication the client software must be running on the workstations or laptops.
Popup authentication can be used to:
Authenticate users that print from a generic login or auto-login account. This is done by flagging the generic account as unauthenticated in PaperCut MF.
Authenticate users not authenticated to the network (e.g. personal laptop users). This is done by marking the print queues as unauthenticated in PaperCut MF.
More information on popup authentication can be found in the section called “Popup Authentication”.
Web Print is a service for printing documents that are uploaded via a web browser. This provides a simple way to enable printing for laptop, wireless and anonymous users without the need to install print drivers.
With Web Print users are authenticated when they log into the PaperCut MF user web interface. Any documents they upload can then be tracked against their user name.
More information about Web Print is available in Chapter 21, Web Print (Driver-less printing via a web browser).
Release stations work by placing print jobs in a holding queue. Users must authenticate at a release station before being given access to release their job. A release station normally takes the form of a dedicated terminal located next to the printer(s), however the holding queue may also be accessed via a web browser. The act of a user releasing a job causes it to be charged to their account. Release stations can be used without installing the client software on user's workstations.
The hold/release queues are enabled on a printer queue level within PaperCut MF
More information on setting up and using release stations is discussed in Chapter 10, Hold/Release Queues & Print Release Stations. To achieve authentication, the Release Station will be run in "release any" mode.
The choice of the authenticatation approach depends on the constraints of your network and your requirements. Below are some points to consider when making this decision:
Popup Authentication: Usually the most user-friendly option, but it requires the client software to be installed and running on all workstations that print. In some environments it is not possible to mandate that software be installed on personal laptops.
Release Station Authentication: Users do not need any additional software installed but the process of releasing a print job is more involved. You must install standard release stations nearby all your printers, or make use of the end-user web release station. If you are already using hold/release queues, then it makes sense to also use them for authentication.
Many sites have a heterogenous network with a mix of both authenticated an unauthenticated printing. A common example, is a college where all lab computers are connected to the domain and users must login to the workstations to print. The college also allows students to print using their personal laptops that are not authenticated on the network.
An administrator can choose to enable PaperCut MF authentication for all users. This is the simplest to set up but may be inconvenient for users who are already fully authenticated. Why should an authenticated user have to reauthenticate with PaperCut MF to print?
To overcome this it is recommended to set up two sets of print queues, one for the authenticated users and another for the unauthenticated users. These queues can point to the same physical printers, but are configured differently in both PaperCut MF and the operating system. The authenticated print queues:
Must only be accessible to authenticated users (i.e. through network security or operating system permissions).
Should not have the authentication enabled within PaperCut MF (i.e. do not enable the hold/release queue or unauthenticated printer options on the print queue).
Should not be published to unauthenticated users.
The unauthenticated print queues:
Must be configured to allow printing by unauthenticated users.
Must have the authentication enabled within PaperCut MF. i.e. Enable the hold/release queue or flag the printer as unauthenticated.
Must be published to anonymous users so they know how to connect/user the printers.
If the descision as been made to split up printers into two seprate queues (authenticated and unauthenticated), administrators can use tools such as IP address filtering, firewalls, or user/group access permsisions to control who has access to which set of queues (i.e. deny "guest" account access on authenticated queues in Windows).
For a detailed explanation of setting up PaperCut MF for unauthenticated laptop printing see the section called “Handling Unauthenticated (non-domain) Laptops”
For discussion of many other authentication scenarios see the section called “The Authentication Cookbook - Recipes by example”
© Copyright 1999-2010. PaperCut Software International Pty Ltd. All rights reserved.