Security

last person joined: an hour ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Guest network and skype problems

  • 1.  Guest network and skype problems

    Posted Jul 01, 2014 08:52 AM

    Hi all, I have a guest network configured which directs users to a web filter for authentication, using a pac file for the proxy settings.

     

    Users on mobile devices, Ipads, samsungs etc can authenticate fine and http/https works fine.  Problem comes with apps like Skype which seem to direct all traffic directly to the firewall which blocks them as they have not originated from the web filter.  Any suggestions ? No problems with laptops as they seem to encapsulate the traffic correctly and are directed via the web proxy.

     

    Thanks



  • 2.  RE: Guest network and skype problems

    Posted Jul 01, 2014 09:49 AM

    I would think this is a Skype issue. Try changing the settings within Skype (Windows screenshot below):

     

    Capture.JPG

     

    You can't really do anything on the controller to force this.



  • 3.  RE: Guest network and skype problems

    Posted Jul 01, 2014 09:51 AM

    As a test to try and eliminate some variables, can you manually configure the proxy under the WiFi seetings of one of your mobile devices and see if it works?



  • 4.  RE: Guest network and skype problems

    Posted Jul 01, 2014 10:11 AM

    Hi, thanks for the replies. Indeed on a windows machine it works fine, i'm guessing that the additional settings required are in the windows settings.

     

    If we add the proxy address on a mobile device still the same issue.

     

    Same problems with apps like facetime and in particular samsung updates, these all seem to bypass the proxy.



  • 5.  RE: Guest network and skype problems

    Posted Jul 01, 2014 10:39 AM

    This is a common problem with proxies and mobile devices.  Even if you manually put in the proxy settings into the device, a lot of applications won't use it or it might be the case they don't have permission to read the settings.

     

    You will drive yourself crazy trying to fix this.  The best way is to use a transparent proxy.



  • 6.  RE: Guest network and skype problems

    Posted Jul 01, 2014 11:01 AM

    Hi, we are using a transperent proxy.   Problem with these applications is they seem to be forwarded to the firewall and are not hitting the proxy.    these are the access lists i have in the guest role

     

    user-role guest
    bw-contract 10MBLimit per-user upstream
    bw-contract 10MBLimit per-user downstream
    vlan 53
    access-list session WPAD
    access-list session Skype
    access-list session Webmail
    access-list session gmail
    access-list session TransparentProxy
    access-list session dns-acl
    access-list session Android
    access-list session tcp5228
    access-list session dhcp-acl
    access-list session PaperCut
    access-list session ProxyAccess
    access-list session GuestDenyHTTP
    access-list session DMZHttpHttps
    access-list session icmp-acl
    access-list session http-acl
    access-list session v6-http-acl
    access-list session https-acl
    access-list session v6-https-acl
    access-list session v6-dhcp-acl
    access-list session v6-icmp-acl
    access-list session v6-dns-acl



  • 7.  RE: Guest network and skype problems

    Posted Jul 01, 2014 11:27 AM

    ok.  The problem I have seen on a number of deployments now is that when you manually put in the proxy settings into the device, like iPhone iPad, system apps like Safari work, but many many other 3rd party apps don't use these proxy settings, and fail.

     

    I suspect what you are seeing is similar in that they are ignoring the proxy settings obtained from the pac file.

     

    How we got around that is for the upstream firewall to do the filtering, or for it to dst-nat to a transparent proxy.



  • 8.  RE: Guest network and skype problems

    Posted Jul 01, 2014 11:31 AM

    Michael, thanks for the swift reply.   The issue with Skype is that it uses random ports I believe meaning the firewall will be wide open.  Seems this may be a more serious issue than I first thought.



  • 9.  RE: Guest network and skype problems

    Posted Jul 28, 2019 12:35 AM

    HI all,

     

    I have configured New SSID with MAC authentication and created new Access Control and added all below roles.

    global-sacl :
    apprf-authenticated-sacl :
    ra-guard :
    http-acl :
    https-acl :
    dhcp-acl :
    icmp-acl :
    dns-acl :
    v6-http-acl :
    v6-https-acl :
    v6-dhcp-acl :
    v6-icmp-acl :
    v6-dns-acl :
    allowall :
    v6-allowall :

    Now MAC authenticaiton is working but Skype for bussiness is not getting connected.

     

    Please let me know what can be done am i missing any role that needs to be added.



  • 10.  RE: Guest network and skype problems

    Posted Jul 28, 2019 07:40 AM

    This message thread is 5 years old.  Please open a new thread with your question.