Wireless Access

Reply
Occasional Contributor II

ESI ReDirect for HTTP Proxy Fails

I) On the Aruba controller I have created a user rule using an ESI (external services interface) redirect for http traffic to be routed through the Barracuda. When functioning correctly, http traffic is filtered and inappropriate/blocked content is handled the way it should be. 

 
II) When functioning correctly, the firewall monitor on the Aruba controller shows the hits associated with that rule and it appears to be redirecting to the Barracuda.
 
Here's what happens when things get flaky:
  1. A student iPad or OS X user connects to the wireless SSID. 
  2. The user is able to navigate the Internet and is filtered (blocked) if the user goes to a blocked site.
  3. The user then goes idle for whatever reason (basically stops accessing the Internet).
  4. After about 5-10 minutes of inactivity, the user goes back to accessing the Internet, but then has no access to http requests. The Barracuda web log shows no activity from that user, but the wireless controller's firewall shows that the http request is being forwarded to the Barracuda. Again, the user has no access to http resources, filtered or otherwise. It's like the Barracuda just does not process the request at all.
  5. The user disables wifi on the device, waits a moment (literally the time it takes to disable wifi and enable it again), enables their wifi connection and is then able to access http resources.
Something to consider is that this only happens via the ESI redirect from the controller. If the proxy settings are manually inserted into the wifi settings on an iPad or OS X device, this problem does not occur. I could issue a Configuration Profile via our management system but have not for a couple of reasons. 1) It's too easy for a user to simply remove the proxy settings on an iPad and 2) if a user has a Mac or PC laptop, they'd have to be enrolled in our MDM system and we are only enrolling iPads.
 
I guess my biggest question is this: considering that the Aruba controller appears to be managing the redirect correctly (being able to see the firewall traffic leads me to believe that it is) and that the situation can be remedied by re-establishing the wifi connection, is there something related to the user authentication that could be causing this? The SSID that has this role associated with it uses AD Credentials authenticated against an internal RADIUS server.
Guru Elite

Re: ESI ReDirect for HTTP Proxy Fails

mbayhylle,

 

How does the user authenticate to get onto the network?

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II

Re: ESI ReDirect for HTTP Proxy Fails

The user is prompted by the iPad to provide his AD username and password at initial login to the network. Once this step is complete the device stores this login information. The AD Credentials are authenticated against a RADIUS Server.

Guru Elite

Re: ESI ReDirect for HTTP Proxy Fails

mbayhylle,

 

It is a 802.1x network, or is it a Captive Portal network?  When the user has a problem, do they have to re-login using the Captive Portal or 802.1x?

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II

Re: ESI ReDirect for HTTP Proxy Fails

It is an 802.1x network. When the problem occurs they simply have to disable their wifi connection and then re-enable it (so essentially re-authenticating using their cached credentials). The rule then begins work correctly.

Guru Elite

Re: ESI ReDirect for HTTP Proxy Fails

mbayhylle,

 

Thank you for that information.

 

Does your device get a specific role when it passes 802.1x authentication, and is that the role that has the ESI redirect command?

In addition, Does your AAA profile have an initial role and a default 802.1x role?  Can you try changing the initial role for your aaa profile to the production role with the ESI rules in it?  It could be that after inactivity, your user is being changed back to the initial role, and that role does not have the ESI rules.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II

Re: ESI ReDirect for HTTP Proxy Fails

Yes, the initial role is different than the 802.1x role. I will test that and see if it helps to resolve this. 

Occasional Contributor II

Re: ESI ReDirect for HTTP Proxy Fails

I made the change to the initial logon role and this does not seem to help.

Guru Elite

Re: ESI ReDirect for HTTP Proxy Fails

Can you enable debug logging for a user who has the issue?

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: