10-14-2010 08:02 AM
We plan to configure WCCP on a data centre switch to redirect all internet based traffic to a Bluecoat SG810 proxy. That proxy is itself integrated to AD via BCAAA to provide filtering groups for the user (kids, adutls etc).
The issue we have comes where the wireless client device can’t pass the correct authentication details to the proxy as it isn’t on the domain (only connected to the controller). Therefore the proxy asks for authentication details meaning wireless users are asked for two logins (one of the wireless controller and one of the proxy). This is deemed as unacceptable. We cant use guest authentication on the bluecoat box as the user require filters for specific user groups (kids, adults etc)
The user believes there must be some way we can configure the wireless controller to ‘know’ that a client has authenticated to AD and can then pass those same credentials to the upstream proxy. They do this now via static IP addresses (but we can and will only use dynamic IP’s via DHCP in the new solution).
In all honesty I’m not sure if this is possible since I don’t know if/can/how the controller knows or retains the clients AD details against the IP address allocated and then passes this to the proxy. Can the Aruba wireless controllers be configured to do this when the AP;s are acting as DHCP relay servers? Can they pass through client authentication details (NTLM/Kerberos) to an upstream proxy. Is this standard? Is it something we can do with a NAT setting?
10-14-2010 08:17 AM
As I understand it SSO is only a lookup for which user has been logged on to a machine. IWA is good for all clients that actually support NTLM (or Kerberos) such as machines on the domain. Is SSO an alternative for the wireless devices? I assume meaning SSO means we would have to turn off source NATing on the controller such that SSO can always map the IP to a user, even when those devices are behind the wireless devices?
Also saves on the overhead of NTLM
Would this work, would it enable transparent authentication via BCAAA and ensure the right filters got applied?
11-02-2011 10:42 PM
We're planning on an Amigopod / ArubaOS solution but client has a proxy server that they would like to be able to pass on user login details so that no secondary login is required.
Would appreciate any advice.
11-03-2011 03:30 AM
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs