ArubaOS and Controllers

New Contributor

Wireless Authentication with a Proxy server

We have wireless devices (could be laptops, netbooks etc) which connect via AP's to an Aruba wireless controller. Users of these devices can request an AD account from an admin. They then connect to the wireless controller and authenticate to AD via the standard captive portal.

We plan to configure WCCP on a data centre switch to redirect all internet based traffic to a Bluecoat SG810 proxy. That proxy is itself integrated to AD via BCAAA to provide filtering groups for the user (kids, adutls etc).

The issue we have comes where the wireless client device can’t pass the correct authentication details to the proxy as it isn’t on the domain (only connected to the controller). Therefore the proxy asks for authentication details meaning wireless users are asked for two logins (one of the wireless controller and one of the proxy). This is deemed as unacceptable. We cant use guest authentication on the bluecoat box as the user require filters for specific user groups (kids, adults etc)

The user believes there must be some way we can configure the wireless controller to ‘know’ that a client has authenticated to AD and can then pass those same credentials to the upstream proxy. They do this now via static IP addresses (but we can and will only use dynamic IP’s via DHCP in the new solution).

In all honesty I’m not sure if this is possible since I don’t know if/can/how the controller knows or retains the clients AD details against the IP address allocated and then passes this to the proxy. Can the Aruba wireless controllers be configured to do this when the AP;s are acting as DHCP relay servers? Can they pass through client authentication details (NTLM/Kerberos) to an upstream proxy. Is this standard? Is it something we can do with a NAT setting?

Many thanks
New Contributor

Re: Wireless Authentication with a Proxy server

Could we use SSO authentication within Bluecoat to solve this?

As I understand it SSO is only a lookup for which user has been logged on to a machine. IWA is good for all clients that actually support NTLM (or Kerberos) such as machines on the domain. Is SSO an alternative for the wireless devices? I assume meaning SSO means we would have to turn off source NATing on the controller such that SSO can always map the IP to a user, even when those devices are behind the wireless devices?

Also saves on the overhead of NTLM

Would this work, would it enable transparent authentication via BCAAA and ensure the right filters got applied?
New Contributor

Re: Wireless Authentication with a Proxy server

any help here guys?

could we use Javascript behind the captive portal to automatically register with a proxy?
All-Decade MVP 2020

Re: Wireless Authentication with a Proxy server

I'd like to revive this topic to see if anybody has had any progress solving this issue as it is now something i'm trying to deal with for a client.

We're planning on an Amigopod / ArubaOS solution but client has a proxy server that they would like to be able to pass on user login details so that no secondary login is required.

Would appreciate any advice.
Guru Elite

Re: Wireless Authentication with a Proxy server

Create a separate subnet for wireless users. Enable filtering on that subnet on the Bluecoat, but do not make them authenticate on the Bluecoat. Make the users on the wireless network authenticate only through Aruba/Amigopod. In the Aruba/Amigopod server group for the Captive Portal, put the AD server as well as the Amigopod server and enable failthrough, so that credentials would be checked for both.

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Remote Access Point Solution Guide
ArubaOS Consolidated Release Notes
ArubaOS 8 ViA VPN Solution Guide
Search Airheads
Showing results for 
Search instead for 
Did you mean: