Domain, wireless, web filters and ipads internet access

ajf · 29 Jul 2011 at 16:15

Maybe someone can help with this one.
At work we have a 2003 windows domain. There is also a Dell PowerConnect W-3200 based wirless system which I believe uses Radius and certificates to auto authenticate laptops etc.

All web access is filtered through a Barracuda Web Filter.

The problem is this:
We want to use iPads and iPhones on the wireless to access the internet. They will all authenticate onto the wireless with the users domain account once the certificate is accepted and installed and we can see internal network web interfaces on it.

However when they try and access the internet all that happen is a block page from Barracuda stating that you need to be an authenticated domain user to access web sites.

I cannot work out what is happening here to cause the error. The ipad authenticates to wireless so must be authenticated on the domain? So Barracuda should let the traffic through?

Any thoughts from anyone at all?

Andrew

Coldzero · 29 Jul 2011 at 17:46

Have you got any internal webpages/intranet you can try and access from the ipads?

Chief Wiggum · 29 Jul 2011 at 17:51

under the wireless settings, HTTP Proxy, set to Manual and turn authentication 'on' and set the credentials...

The i devices don't cache the credentials like a windows machine, so it's only relevant for the wireless side and isn't used for Proxy Auth

opethdisciple · 29 Jul 2011 at 18:06

Proxy settings?

ajf · 30 Jul 2011 at 21:28

Hi. Thanks for the replies.
The devices can access internal sites so it seems it authenticates on the wireless without problem.
The Barracuda isn't seen as a proxy, so no settings are required. It should go straight onto internet once a domain user logs in, which is what all the other machines do.

Chief Wiggum · 30 Jul 2011 at 22:46

yes - however, i-devices don't contain any ldap or windows mechanisms for auth. As the traffic passes through the barracuda, it expects to be passed auth information as part of the handshake. As the i-device doesn't hold this information, it is unable to provide it's identity - this is why you're getting the block page from the barracuda.
From the devices' perspective, all you are doing is authenticating to the wireless network - it doesn't have the capabilities to use this information elsewhere.

So, either you define it as a 'proxy' on the i-device or on the network, allocate fixed IP's and then put in no-auth rules from those IP's (while applying your normal policy) on the barracuda. (I'm not sure if you can do that - but I assume they are fairly similar to Bluecoats) There may also be a way to provide a login challenge instead, but this may compromise your current setup and really you don't want users to have to login to the web filter in order to get internet access as that would be a pain....

How do your windows machines get their proxy settings? I'm assuming it's via a PAC file? as traffic will have to be directed through the barracuda at some stage by something?

ajf · 31 Jul 2011 at 02:45

Ah right, I understand what you mean know!
I will try that on Monday then and see what happens.

Not actually sure how the Barracuda/web access works as was in before I joined and nly been there 3 months so far!

Just know the machines have no proxy settings but the Barracuda filters on domain user accounts and the users have to be in groups. Other than that it seems to just 'silently' filter anything sent through the firewall.

Andrew

ajf · 3 Aug 2011 at 22:26

Just an update to say thanks as that worked

Andrew

Chief Wiggum · 3 Aug 2011 at 22:40

Excellent - happy to help