Wireless Access

At several customers their guests are required to use a proxy server to browse the web.
Having guests with a multitude of browsers needing to set their proxies is a supports nightmare though.

For IE users setting dhcp option 252 with the correct wpad.dat (proxy.pac) file helps, but the user still needs to have checked the "automatically detect settings" button in IE's proxy config screen.
Firefox users are even 'worse' since firefox doesn't listen to the dhcp option but wants dns instead. Now I can't get the controller to serve http://wpad/wpad.dat and adding an extra webserver just to serve

So onto my question.. is there no other solution where I can redirect any and all http traffic to a proxy without any user intervention? If this isn't possible, how do I get firefox and other browser users to the proxy with as little configuration as possible and no extra servers (like IE's 1 checkbox)?
Is this solvable at all?

Koenv,

Looks like you did your homework.

If you have a transparent proxy, the easiest way to get users to it is to write a firewall policy that destination NATs any port 80 traffic to the IP address and port of the proxy and apply it to that user role. In this example, the proxy is at 10.1.1.50 on port 8080.

Well, we are in the proccess of redircting users to T Proxy and would probably use the below rule too.

What is ESI Group? I thought of using that instead of nat
in cli, it has a lot of options to be configured, and we are planning to do it this way:

esi server Tproxy
trusted-ip-addr 166.87.255.15
mode nat
dport 80

Then

---

Koenv,

Looks like you did your homework.

If you have a transparent proxy, the easiest way to get users to it is to write a firewall policy that destination NATs any port 80 traffic to the IP address and port of the proxy and apply it to that user role. In this example, the proxy is at 10.1.1.50 on port 8080.

---

I'm confused. As soon as I have my controller dst-nat anything.. how will the proxy that comes after that know what website I was trying to reach?
Say my guest tries to reach http://google.com. If we have the controller dest-nat that traffic to the proxy that traffic arrives at the proxy like it was destined for the proxy and not google right? It won't know where to forward this traffic.

Or am I misunderstanding what a transparent proxy is exactly?

And sorry Ghubari, never heard of ESI group before.

Wikipedia explains it better than I ever could: http://en.wikipedia.org/wiki/Transparent_proxy#Transparent_and_non-transparent_proxy_server

To make it short, the proxy maintains a list of requests and makes requests on behalf of the clients that have made requests. When the request returns from the web to the proxy, it delivers it to the client.

Hi Guys, ive configured a rule below the standard mswitch rule inside the captiveportal policy to nat the traffic to the proxy server, however, a packet capture shows the wifi client sending the traffic direct to the resolved IP of the website, not the proxy server

Can anyone help diagnose why this nat rule is not working

thanks

user mswitch svc-https dst-nat 8081

user any svc-http dst-nat ip 163.8.85.68 8080 <-- this is our proxy and its IP

user any svc-https dst-nat 8081

Type "show acl hits" on the commandline to see what rule you are REALLY hitting for Http(s).

One single lonely hit, that doesnt seem right though as I was sending wireless traffic destined for the internet which should have hit that rule...

What Role is the user in (show user)? When you find out that role, type "show rights <ROLE>" to see what firewall policies are assigned to that role.

From the firewall policies, it seems that you are adding the redirect to the "logon" role for that user. You might want to add those policies to the resultant "guest" role that the user gets AFTER logging in.</ROLE>

OK, great, ill check that - just waiting for the wireless device to come into the office :) Ill let you know. Thanks

So, the user logs in , we get the capitve portal, which is successful but its not assigning our test user 'guest2010' into the guest profile and using the guest-web policy that has our NAT rule


(P7FUJI01) #show user

Users
-----
IP MAC Name Role Age(d:h:m) Auth VPN link AP name Roaming Essid/Bssid/Phy Profile
---------- ------------ ------ ---- ---------- ---- -------- ------- ------- --------------- -------
10.36.2.246 00:24:2b:c1:47:43 guest-logon 00:00:38 00:24:6c:c3:1f:91 Wireless PincG/00:24:6c:b1:f9:11/g-HT guest-aaa-profile
10.36.3.253 00:1c:bf:23:51:aa guest-logon 00:00:54 00:24:6c:c3:1f:91 Wireless PincG/00:24:6c:b1:f9:11/g guest-aaa-profile
10.36.3.250 00:1e:c2:c3:8a:ce guest2010 guest 00:00:46 Web 00:24:6c:c3:1f:91 Wireless PincG/00:24:6c:b1:f9:19/a-HT guest-aaa-profile

User Entries: 3/3

(P7FUJI01) #show acl hits

User Role ACL Hits
------------------
Role Policy Src Dst Service Action Dest/Opcode New Hits Total Hits Index
---- ------ --- --- ------- ------ ----------- -------- ---------- -----
guest guest-blacklist any any any permit 28 28 15801
guest-logon guest-control user any svc-dhcp permit 0 1 15775
guest-logon guest-control user DNSServers svc-dns permit 0 17 15776
guest-logon captiveportal user mswitch svc-https dst-nat 8081 0 8 15778
guest-logon captiveportal user any svc-http dst-nat 8080 0 2 15779
guest-logon any any 0 deny 9 31 15781

Port Based Session ACL
----------------------
Policy Src Dst Service Action Dest/Opcode New Hits Total Hits Index
------ --- --- ------- ------ ----------- -------- ---------- -----
validuser any any any permit 0 86 7954
deny-corporate-to-mgmt any controller-vrrp svc-syslog permit 8 1157 8266
deny-corporate-to-mgmt inband-ip inband-ip any permit 1365 646665 8267
deny-corporate-to-mgmt inband-ip vrrp-mcast any permit 0 8881 8268
deny-corporate-to-mgmt airwave inband-ip any permit 20 11660 8270
deny-corporate-to-mgmt guest-users inband-ip svc-http permit 0 213 8271
deny-corporate-to-mgmt any inband-ip svc-papi permit 13 7427 8275
deny-corporate-to-mgmt any inband-ip svc-gre permit 0 4 8276
deny-corporate-to-mgmt any inband-ip svc-http permit 0 115 8280
deny-corporate-to-mgmt any inband-ip svc-syslog permit 0 11 8284
deny-corporate-to-mgmt any inband-ip svc-icmp permit 0 2 8285
deny-corporate-to-mgmt any any 0 deny 34 3353 8286

Port ACL Hits
-------------
ACL ACE New Hits Total Hits Index
--- --- -------- ---------- -----

(P7FUJI01) #

---

So, the user logs in , we get the capitve portal, which is successful but its not assigning our test user 'guest2010' into the guest profile and using the guest-web policy that has our NAT rule


(P7FUJI01) #show user

Users
-----
IP MAC Name Role Age(d:h:m) Auth VPN link AP name Roaming Essid/Bssid/Phy Profile
---------- ------------ ------ ---- ---------- ---- -------- ------- ------- --------------- -------
10.36.2.246 00:24:2b:c1:47:43 guest-logon 00:00:38 00:24:6c:c3:1f:91 Wireless PincG/00:24:6c:b1:f9:11/g-HT guest-aaa-profile
10.36.3.253 00:1c:bf:23:51:aa guest-logon 00:00:54 00:24:6c:c3:1f:91 Wireless PincG/00:24:6c:b1:f9:11/g guest-aaa-profile
10.36.3.250 00:1e:c2:c3:8a:ce guest2010 guest 00:00:46 Web 00:24:6c:c3:1f:91 Wireless PincG/00:24:6c:b1:f9:19/a-HT guest-aaa-profile

User Entries: 3/3

(P7FUJI01) #show acl hits

User Role ACL Hits
------------------
Role Policy Src Dst Service Action Dest/Opcode New Hits Total Hits Index
---- ------ --- --- ------- ------ ----------- -------- ---------- -----
guest guest-blacklist any any any permit 28 28 15801
guest-logon guest-control user any svc-dhcp permit 0 1 15775
guest-logon guest-control user DNSServers svc-dns permit 0 17 15776
guest-logon captiveportal user mswitch svc-https dst-nat 8081 0 8 15778
guest-logon captiveportal user any svc-http dst-nat 8080 0 2 15779
guest-logon any any 0 deny 9 31 15781

Port Based Session ACL
----------------------
Policy Src Dst Service Action Dest/Opcode New Hits Total Hits Index
------ --- --- ------- ------ ----------- -------- ---------- -----
validuser any any any permit 0 86 7954
deny-corporate-to-mgmt any controller-vrrp svc-syslog permit 8 1157 8266
deny-corporate-to-mgmt inband-ip inband-ip any permit 1365 646665 8267
deny-corporate-to-mgmt inband-ip vrrp-mcast any permit 0 8881 8268
deny-corporate-to-mgmt airwave inband-ip any permit 20 11660 8270
deny-corporate-to-mgmt guest-users inband-ip svc-http permit 0 213 8271
deny-corporate-to-mgmt any inband-ip svc-papi permit 13 7427 8275
deny-corporate-to-mgmt any inband-ip svc-gre permit 0 4 8276
deny-corporate-to-mgmt any inband-ip svc-http permit 0 115 8280
deny-corporate-to-mgmt any inband-ip svc-syslog permit 0 11 8284
deny-corporate-to-mgmt any inband-ip svc-icmp permit 0 2 8285
deny-corporate-to-mgmt any any 0 deny 34 3353 8286

Port ACL Hits
-------------
ACL ACE New Hits Total Hits Index
--- --- -------- ---------- -----

(P7FUJI01) #

---

So users in a captive portal are assigned roles based on the Captive Portal authentication profile assigned to that captive portal. In the Captive Portal authentication profile, there is a server group that says the database you are using to authenticate users, as well as a Default Role, that decides what role users who are authenticated will be placed in. Find your captive portal authentication profile under Configuration> All Profiles> Wireless> Captive Portal Authentication Profile. Change the default role to be the one you want the user to be in AFTER authentication.

Thakns, ive just checked that captiveportal role and its set to 'guest' which is correct, i also checked that guest-web firewall policy is associated to userrole guest..

Okay, let's see "show rights guest", then.

(P7FUJI01) #show rights guest

Derived Role = 'guest'
Up BW contract = 1Mbps (1000000 bits/sec) Down BW contract = 1Mbps (1000000 bits/sec)
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Periodic reauthentication: Disabled
ACL Number = 3/0
Max Sessions = 65535


access-list List
----------------
Position Name Location
-------- ---- --------
1 guest-blacklist
2 cplogout
3 guest-web
4 vpnlogon

guest-blacklist
---------------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ -------
1 any any any permit Low
cplogout
--------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ -------
1 user controller svc-https dst-nat 8081 Low
guest-web
---------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ -------
1 any 192.168.0.0 255.255.0.0 any deny Yes Low
2 any 172.16.0.0 255.240.0.0 any deny Yes Low
3 any 10.0.0.0 255.0.0.0 any deny Yes Low
4 user any svc-http dst-nat ip 163.8.85.68 8080 Low
5 user any svc-https permit Low
6 user any svc-dhcp permit Low
7 user any svc-icmp permit Low
8 user any svc-dns permit Low
9 any any any deny Yes Low
vpnlogon
--------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ -------
1 user any svc-ike permit Low
2 user any svc-esp permit Low
3 any any svc-l2tp permit Low
4 any any svc-pptp permit Low
5 any any svc-gre permit Low

Expired Policies (due to time constraints) = 0

(P7FUJI01) #

The first policy is guest-blacklist, which is what all packets hit. (any any permit low). Since the rules are evaluated from top to bottom, they never make it past this rule. Remove guest-blacklist from that ruleset.

Ive just done a test telnet to the proxy ip/port form the wireless client and I can see it works, however, it doesnt appear as if the controller is doing the nat as it should... i cant see how I can find hits based on the guest-web policy

thanks
kris

*slaps forehead* of course!! ok, fixed that. We still cant get through, on the firewall we can see the packet but no web access :( ill check our proxy

Remove all the ACLs besides the guest-web ACL from the user role, because all of the others just get in the way. You can add security back in, when functionality works. I repeat, remove guest-blacklist, cplogout and vpnlogon from that guest role.

Thanks Colin, we've got it working now :) you're a star, thanks!

---

We're trying to accomplish the same thing here, to replace the WCCP2 provided by our Cisco switch. However, I can't get it to work. I can't see where the d-nat packets go - a netstat on the proxy shows no sign of them. Even though I see firewall hits for the policies on the Aruba controller. What else can I do to trace where these packets are ending up?

This line below:
1 user 72.2.0.12 svc-http permit
Allows traffic directed at the proxy (if I enable manual proxy in the browser, which works) to go through without a d-nat. Any other port 80 traffic is caught by the next rule.
2 user any svc-http dst-nat ip 72.2.0.12 80

(Aruba6000) #show rights sls-domain-admin

Derived Role = 'sls-domain-admin'
Up BW:No Limit Down BW:No Limit
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Assigned VLAN = 3
Periodic reauthentication: Disabled
ACL Number = 56/0
Max Sessions = 65535


access-list List
----------------
Position Name Location
-------- ---- --------
1 http-proxy-redir
2 allowall

http-proxy-redir
----------------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ -------
1 user 72.2.0.12 svc-http permit Low
2 user any svc-http dst-nat ip 72.2.0.12 80 Low
allowall
--------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ -------
1 any any any permit Low

Expired Policies (due to time constraints) = 0

Resolved. It turns out routing needs to be enabled on the VLANs in question on the controller. We had disabled routing for all VLANs since we have Cisco 6x00s doing our routing. This appears to offer a simple alternative to WCCP for proxy transparency, but we'll see how it works in production. Our Cisco 6000 Sup1/MSFC was choking during peak loads using WCCP2... :-(

sorry for bringing up this old thread..
i managed to force Http traffic to my proxy server.. but its not working for https traffic.
I'm using bluecoat proxysg and did a policy trace..

for HTTP traffic, i can see the url being forwarded to the proxy from the wireless controller IP (interface NAT on the controller)

for HTTPS traffic, im seeing the url translated to the proxy-ip

im puzzled with all of these.. because to my gut feeling, i think that HTTPS behaviour is wat im supposed to get logically whereas HTTP is not. Reason behind.. i dont understand WHY a dst-nat of ANY HTTP traffic to proxy-ip will retain its full actual URL as what the user typed and forward to the proxy.

Whereas for HTTPS, the dst-nat is doing its job, it translate the URL to proxy-ip and thus it fails on my bluecoat..

Any help to resolve this?

dst-NAT will ONLY work port port 80, unfortunately. SSL using dst-nat and Bluecoat will not work in that fashion, unfortunately.

---

ya.. pretty frustrusted with this..

in a way, do you see this as a bug? it seems that a wrong behaviour for port 80 makes thing works whereas a correct behaviour for 443 just break it

No, because SSL does not work with destination NAT on any platform. Aruba is no exception to that rule.

Hi All,

I know this is an old post, but we're just starting a content filtering initiative and I'm interested to know how people handle 443 traffic since destination NAT doesn't work.

Thanks,
Pete

I'm so curious about this. How can a DNAT of all HTTP traffic to the proxy server work if the client browser usually does not include the host in the URL of a direct HTTP request? Has that changed over time on latest versions of browsers?