Wireless Access

last person joined: 2 hours ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

Best way to force guests to use a proxy?

Jump to Best Answer
  • 1.  Best way to force guests to use a proxy?

    Posted May 28, 2010 09:36 AM
    At several customers their guests are required to use a proxy server to browse the web.
    Having guests with a multitude of browsers needing to set their proxies is a supports nightmare though.

    For IE users setting dhcp option 252 with the correct wpad.dat (proxy.pac) file helps, but the user still needs to have checked the "automatically detect settings" button in IE's proxy config screen.
    Firefox users are even 'worse' since firefox doesn't listen to the dhcp option but wants dns instead. Now I can't get the controller to serve http://wpad/wpad.dat and adding an extra webserver just to serve

    So onto my question.. is there no other solution where I can redirect any and all http traffic to a proxy without any user intervention? If this isn't possible, how do I get firefox and other browser users to the proxy with as little configuration as possible and no extra servers (like IE's 1 checkbox)?
    Is this solvable at all?


  • 2.  RE: Best way to force guests to use a proxy?
    Best Answer

    Posted May 28, 2010 12:11 PM
      |   view attached
    Koenv,

    Looks like you did your homework.

    If you have a transparent proxy, the easiest way to get users to it is to write a firewall policy that destination NATs any port 80 traffic to the IP address and port of the proxy and apply it to that user role. In this example, the proxy is at 10.1.1.50 on port 8080.



  • 3.  RE: Best way to force guests to use a proxy?

    Posted Jun 02, 2010 12:33 AM
      |   view attached
    Well, we are in the proccess of redircting users to T Proxy and would probably use the below rule too.

    What is ESI Group? I thought of using that instead of nat
    in cli, it has a lot of options to be configured, and we are planning to do it this way:

    esi server Tproxy
    trusted-ip-addr 166.87.255.15
    mode nat
    dport 80

    Then


  • 4.  RE: Best way to force guests to use a proxy?

    Posted Jun 02, 2010 09:58 AM

    Koenv,

    Looks like you did your homework.

    If you have a transparent proxy, the easiest way to get users to it is to write a firewall policy that destination NATs any port 80 traffic to the IP address and port of the proxy and apply it to that user role. In this example, the proxy is at 10.1.1.50 on port 8080.




    I'm confused. As soon as I have my controller dst-nat anything.. how will the proxy that comes after that know what website I was trying to reach?
    Say my guest tries to reach http://google.com. If we have the controller dest-nat that traffic to the proxy that traffic arrives at the proxy like it was destined for the proxy and not google right? It won't know where to forward this traffic.

    Or am I misunderstanding what a transparent proxy is exactly?

    And sorry Ghubari, never heard of ESI group before.


  • 5.  RE: Best way to force guests to use a proxy?

    Posted Jun 02, 2010 10:33 AM
    Wikipedia explains it better than I ever could: http://en.wikipedia.org/wiki/Transparent_proxy#Transparent_and_non-transparent_proxy_server

    To make it short, the proxy maintains a list of requests and makes requests on behalf of the clients that have made requests. When the request returns from the web to the proxy, it delivers it to the client.


  • 6.  RE: Best way to force guests to use a proxy?

    Posted Sep 24, 2010 01:52 AM
    Hi Guys, ive configured a rule below the standard mswitch rule inside the captiveportal policy to nat the traffic to the proxy server, however, a packet capture shows the wifi client sending the traffic direct to the resolved IP of the website, not the proxy server

    Can anyone help diagnose why this nat rule is not working

    thanks

    user mswitch svc-https dst-nat 8081

    user any svc-http dst-nat ip 163.8.85.68 8080 <-- this is our proxy and its IP

    user any svc-https dst-nat 8081


  • 7.  RE: Best way to force guests to use a proxy?

    Posted Sep 24, 2010 05:22 AM
    Type "show acl hits" on the commandline to see what rule you are REALLY hitting for Http(s).


  • 8.  RE: Best way to force guests to use a proxy?

    Posted Sep 26, 2010 05:58 PM
    One single lonely hit, that doesnt seem right though as I was sending wireless traffic destined for the internet which should have hit that rule...


  • 9.  RE: Best way to force guests to use a proxy?

    Posted Sep 26, 2010 06:10 PM
    What Role is the user in (show user)? When you find out that role, type "show rights


  • 10.  RE: Best way to force guests to use a proxy?

    Posted Sep 26, 2010 06:19 PM
    OK, great, ill check that - just waiting for the wireless device to come into the office :) Ill let you know. Thanks


  • 11.  RE: Best way to force guests to use a proxy?

    Posted Sep 26, 2010 07:27 PM
    So, the user logs in , we get the capitve portal, which is successful but its not assigning our test user 'guest2010' into the guest profile and using the guest-web policy that has our NAT rule


    (P7FUJI01) #show user

    Users
    -----
    IP MAC Name Role Age(d:h:m) Auth VPN link AP name Roaming Essid/Bssid/Phy Profile
    ---------- ------------ ------ ---- ---------- ---- -------- ------- ------- --------------- -------
    10.36.2.246 00:24:2b:c1:47:43 guest-logon 00:00:38 00:24:6c:c3:1f:91 Wireless PincG/00:24:6c:b1:f9:11/g-HT guest-aaa-profile
    10.36.3.253 00:1c:bf:23:51:aa guest-logon 00:00:54 00:24:6c:c3:1f:91 Wireless PincG/00:24:6c:b1:f9:11/g guest-aaa-profile
    10.36.3.250 00:1e:c2:c3:8a:ce guest2010 guest 00:00:46 Web 00:24:6c:c3:1f:91 Wireless PincG/00:24:6c:b1:f9:19/a-HT guest-aaa-profile

    User Entries: 3/3

    (P7FUJI01) #show acl hits

    User Role ACL Hits
    ------------------
    Role Policy Src Dst Service Action Dest/Opcode New Hits Total Hits Index
    ---- ------ --- --- ------- ------ ----------- -------- ---------- -----
    guest guest-blacklist any any any permit 28 28 15801
    guest-logon guest-control user any svc-dhcp permit 0 1 15775
    guest-logon guest-control user DNSServers svc-dns permit 0 17 15776
    guest-logon captiveportal user mswitch svc-https dst-nat 8081 0 8 15778
    guest-logon captiveportal user any svc-http dst-nat 8080 0 2 15779
    guest-logon any any 0 deny 9 31 15781

    Port Based Session ACL
    ----------------------
    Policy Src Dst Service Action Dest/Opcode New Hits Total Hits Index
    ------ --- --- ------- ------ ----------- -------- ---------- -----
    validuser any any any permit 0 86 7954
    deny-corporate-to-mgmt any controller-vrrp svc-syslog permit 8 1157 8266
    deny-corporate-to-mgmt inband-ip inband-ip any permit 1365 646665 8267
    deny-corporate-to-mgmt inband-ip vrrp-mcast any permit 0 8881 8268
    deny-corporate-to-mgmt airwave inband-ip any permit 20 11660 8270
    deny-corporate-to-mgmt guest-users inband-ip svc-http permit 0 213 8271
    deny-corporate-to-mgmt any inband-ip svc-papi permit 13 7427 8275
    deny-corporate-to-mgmt any inband-ip svc-gre permit 0 4 8276
    deny-corporate-to-mgmt any inband-ip svc-http permit 0 115 8280
    deny-corporate-to-mgmt any inband-ip svc-syslog permit 0 11 8284
    deny-corporate-to-mgmt any inband-ip svc-icmp permit 0 2 8285
    deny-corporate-to-mgmt any any 0 deny 34 3353 8286

    Port ACL Hits
    -------------
    ACL ACE New Hits Total Hits Index
    --- --- -------- ---------- -----

    (P7FUJI01) #


  • 12.  RE: Best way to force guests to use a proxy?

    Posted Sep 26, 2010 07:34 PM

    So, the user logs in , we get the capitve portal, which is successful but its not assigning our test user 'guest2010' into the guest profile and using the guest-web policy that has our NAT rule


    (P7FUJI01) #show user

    Users
    -----
    IP MAC Name Role Age(d:h:m) Auth VPN link AP name Roaming Essid/Bssid/Phy Profile
    ---------- ------------ ------ ---- ---------- ---- -------- ------- ------- --------------- -------
    10.36.2.246 00:24:2b:c1:47:43 guest-logon 00:00:38 00:24:6c:c3:1f:91 Wireless PincG/00:24:6c:b1:f9:11/g-HT guest-aaa-profile
    10.36.3.253 00:1c:bf:23:51:aa guest-logon 00:00:54 00:24:6c:c3:1f:91 Wireless PincG/00:24:6c:b1:f9:11/g guest-aaa-profile
    10.36.3.250 00:1e:c2:c3:8a:ce guest2010 guest 00:00:46 Web 00:24:6c:c3:1f:91 Wireless PincG/00:24:6c:b1:f9:19/a-HT guest-aaa-profile

    User Entries: 3/3

    (P7FUJI01) #show acl hits

    User Role ACL Hits
    ------------------
    Role Policy Src Dst Service Action Dest/Opcode New Hits Total Hits Index
    ---- ------ --- --- ------- ------ ----------- -------- ---------- -----
    guest guest-blacklist any any any permit 28 28 15801
    guest-logon guest-control user any svc-dhcp permit 0 1 15775
    guest-logon guest-control user DNSServers svc-dns permit 0 17 15776
    guest-logon captiveportal user mswitch svc-https dst-nat 8081 0 8 15778
    guest-logon captiveportal user any svc-http dst-nat 8080 0 2 15779
    guest-logon any any 0 deny 9 31 15781

    Port Based Session ACL
    ----------------------
    Policy Src Dst Service Action Dest/Opcode New Hits Total Hits Index
    ------ --- --- ------- ------ ----------- -------- ---------- -----
    validuser any any any permit 0 86 7954
    deny-corporate-to-mgmt any controller-vrrp svc-syslog permit 8 1157 8266
    deny-corporate-to-mgmt inband-ip inband-ip any permit 1365 646665 8267
    deny-corporate-to-mgmt inband-ip vrrp-mcast any permit 0 8881 8268
    deny-corporate-to-mgmt airwave inband-ip any permit 20 11660 8270
    deny-corporate-to-mgmt guest-users inband-ip svc-http permit 0 213 8271
    deny-corporate-to-mgmt any inband-ip svc-papi permit 13 7427 8275
    deny-corporate-to-mgmt any inband-ip svc-gre permit 0 4 8276
    deny-corporate-to-mgmt any inband-ip svc-http permit 0 115 8280
    deny-corporate-to-mgmt any inband-ip svc-syslog permit 0 11 8284
    deny-corporate-to-mgmt any inband-ip svc-icmp permit 0 2 8285
    deny-corporate-to-mgmt any any 0 deny 34 3353 8286

    Port ACL Hits
    -------------
    ACL ACE New Hits Total Hits Index
    --- --- -------- ---------- -----

    (P7FUJI01) #




    So users in a captive portal are assigned roles based on the Captive Portal authentication profile assigned to that captive portal. In the Captive Portal authentication profile, there is a server group that says the database you are using to authenticate users, as well as a Default Role, that decides what role users who are authenticated will be placed in. Find your captive portal authentication profile under Configuration> All Profiles> Wireless> Captive Portal Authentication Profile. Change the default role to be the one you want the user to be in AFTER authentication.


  • 13.  RE: Best way to force guests to use a proxy?

    Posted Sep 26, 2010 07:42 PM
    Thakns, ive just checked that captiveportal role and its set to 'guest' which is correct, i also checked that guest-web firewall policy is associated to userrole guest..


  • 14.  RE: Best way to force guests to use a proxy?

    Posted Sep 26, 2010 07:47 PM
    Okay, let's see "show rights guest", then.


  • 15.  RE: Best way to force guests to use a proxy?

    Posted Sep 26, 2010 07:51 PM
    (P7FUJI01) #show rights guest

    Derived Role = 'guest'
    Up BW contract = 1Mbps (1000000 bits/sec) Down BW contract = 1Mbps (1000000 bits/sec)
    L2TP Pool = default-l2tp-pool
    PPTP Pool = default-pptp-pool
    Periodic reauthentication: Disabled
    ACL Number = 3/0
    Max Sessions = 65535


    access-list List
    ----------------
    Position Name Location
    -------- ---- --------
    1 guest-blacklist
    2 cplogout
    3 guest-web
    4 vpnlogon

    guest-blacklist
    ---------------
    Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan
    -------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ -------
    1 any any any permit Low
    cplogout
    --------
    Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan
    -------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ -------
    1 user controller svc-https dst-nat 8081 Low
    guest-web
    ---------
    Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan
    -------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ -------
    1 any 192.168.0.0 255.255.0.0 any deny Yes Low
    2 any 172.16.0.0 255.240.0.0 any deny Yes Low
    3 any 10.0.0.0 255.0.0.0 any deny Yes Low
    4 user any svc-http dst-nat ip 163.8.85.68 8080 Low
    5 user any svc-https permit Low
    6 user any svc-dhcp permit Low
    7 user any svc-icmp permit Low
    8 user any svc-dns permit Low
    9 any any any deny Yes Low
    vpnlogon
    --------
    Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan
    -------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ -------
    1 user any svc-ike permit Low
    2 user any svc-esp permit Low
    3 any any svc-l2tp permit Low
    4 any any svc-pptp permit Low
    5 any any svc-gre permit Low

    Expired Policies (due to time constraints) = 0

    (P7FUJI01) #


  • 16.  RE: Best way to force guests to use a proxy?

    Posted Sep 26, 2010 08:22 PM
    The first policy is guest-blacklist, which is what all packets hit. (any any permit low). Since the rules are evaluated from top to bottom, they never make it past this rule. Remove guest-blacklist from that ruleset.


  • 17.  RE: Best way to force guests to use a proxy?

    Posted Sep 26, 2010 08:33 PM
    Ive just done a test telnet to the proxy ip/port form the wireless client and I can see it works, however, it doesnt appear as if the controller is doing the nat as it should... i cant see how I can find hits based on the guest-web policy

    thanks
    kris


  • 18.  RE: Best way to force guests to use a proxy?

    Posted Sep 26, 2010 08:41 PM
    *slaps forehead* of course!! ok, fixed that. We still cant get through, on the firewall we can see the packet but no web access :( ill check our proxy


  • 19.  RE: Best way to force guests to use a proxy?

    Posted Sep 26, 2010 08:42 PM
    Remove all the ACLs besides the guest-web ACL from the user role, because all of the others just get in the way. You can add security back in, when functionality works. I repeat, remove guest-blacklist, cplogout and vpnlogon from that guest role.


  • 20.  RE: Best way to force guests to use a proxy?

    Posted Sep 26, 2010 11:33 PM
    Thanks Colin, we've got it working now :) you're a star, thanks!


  • 21.  RE: Best way to force guests to use a proxy?

    Posted Oct 28, 2010 04:03 PM



    We're trying to accomplish the same thing here, to replace the WCCP2 provided by our Cisco switch. However, I can't get it to work. I can't see where the d-nat packets go - a netstat on the proxy shows no sign of them. Even though I see firewall hits for the policies on the Aruba controller. What else can I do to trace where these packets are ending up?

    This line below:
    1 user 72.2.0.12 svc-http permit
    Allows traffic directed at the proxy (if I enable manual proxy in the browser, which works) to go through without a d-nat. Any other port 80 traffic is caught by the next rule.
    2 user any svc-http dst-nat ip 72.2.0.12 80

    (Aruba6000) #show rights sls-domain-admin

    Derived Role = 'sls-domain-admin'
    Up BW:No Limit Down BW:No Limit
    L2TP Pool = default-l2tp-pool
    PPTP Pool = default-pptp-pool
    Assigned VLAN = 3
    Periodic reauthentication: Disabled
    ACL Number = 56/0
    Max Sessions = 65535


    access-list List
    ----------------
    Position Name Location
    -------- ---- --------
    1 http-proxy-redir
    2 allowall

    http-proxy-redir
    ----------------
    Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan
    -------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ -------
    1 user 72.2.0.12 svc-http permit Low
    2 user any svc-http dst-nat ip 72.2.0.12 80 Low
    allowall
    --------
    Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan
    -------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ -------
    1 any any any permit Low

    Expired Policies (due to time constraints) = 0



  • 22.  RE: Best way to force guests to use a proxy?

    Posted Nov 01, 2010 07:58 PM
    Resolved. It turns out routing needs to be enabled on the VLANs in question on the controller. We had disabled routing for all VLANs since we have Cisco 6x00s doing our routing. This appears to offer a simple alternative to WCCP for proxy transparency, but we'll see how it works in production. Our Cisco 6000 Sup1/MSFC was choking during peak loads using WCCP2... :-(


  • 23.  RE: Best way to force guests to use a proxy?

    Posted Feb 07, 2011 10:49 PM
    sorry for bringing up this old thread..
    i managed to force Http traffic to my proxy server.. but its not working for https traffic.
    I'm using bluecoat proxysg and did a policy trace..

    for HTTP traffic, i can see the url being forwarded to the proxy from the wireless controller IP (interface NAT on the controller)

    for HTTPS traffic, im seeing the url translated to the proxy-ip

    im puzzled with all of these.. because to my gut feeling, i think that HTTPS behaviour is wat im supposed to get logically whereas HTTP is not. Reason behind.. i dont understand WHY a dst-nat of ANY HTTP traffic to proxy-ip will retain its full actual URL as what the user typed and forward to the proxy.

    Whereas for HTTPS, the dst-nat is doing its job, it translate the URL to proxy-ip and thus it fails on my bluecoat..

    Any help to resolve this?


  • 24.  RE: Best way to force guests to use a proxy?

    Posted Feb 08, 2011 05:26 AM
    dst-NAT will ONLY work port port 80, unfortunately. SSL using dst-nat and Bluecoat will not work in that fashion, unfortunately.


  • 25.  RE: Best way to force guests to use a proxy?

    Posted Feb 23, 2011 09:39 PM



    ya.. pretty frustrusted with this..

    in a way, do you see this as a bug? it seems that a wrong behaviour for port 80 makes thing works whereas a correct behaviour for 443 just break it



  • 26.  RE: Best way to force guests to use a proxy?

    Posted Feb 23, 2011 09:45 PM
    No, because SSL does not work with destination NAT on any platform. Aruba is no exception to that rule.


  • 27.  RE: Best way to force guests to use a proxy?

    Posted Oct 11, 2011 05:10 PM
    Hi All,

    I know this is an old post, but we're just starting a content filtering initiative and I'm interested to know how people handle 443 traffic since destination NAT doesn't work.

    Thanks,
    Pete


  • 28.  RE: Best way to force guests to use a proxy?

    Posted Jul 14, 2015 02:31 AM

    I'm so curious about this. How can a DNAT of all HTTP traffic to the proxy server work if the client browser usually does not include the host in the URL of a direct HTTP request? Has that changed over time on latest versions of browsers?