Wireless Access

last person joined: 16 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

ESI ReDirect for HTTP Proxy Fails

This thread has been viewed 3 times

  • 1.  ESI ReDirect for HTTP Proxy Fails

    Posted Aug 18, 2014 02:39 PM

    I) On the Aruba controller I have created a user rule using an ESI (external services interface) redirect for http traffic to be routed through the Barracuda. When functioning correctly, http traffic is filtered and inappropriate/blocked content is handled the way it should be. 

     
    II) When functioning correctly, the firewall monitor on the Aruba controller shows the hits associated with that rule and it appears to be redirecting to the Barracuda.
     
    Here's what happens when things get flaky:
    1. A student iPad or OS X user connects to the wireless SSID. 
    2. The user is able to navigate the Internet and is filtered (blocked) if the user goes to a blocked site.
    3. The user then goes idle for whatever reason (basically stops accessing the Internet).
    4. After about 5-10 minutes of inactivity, the user goes back to accessing the Internet, but then has no access to http requests. The Barracuda web log shows no activity from that user, but the wireless controller's firewall shows that the http request is being forwarded to the Barracuda. Again, the user has no access to http resources, filtered or otherwise. It's like the Barracuda just does not process the request at all.
    5. The user disables wifi on the device, waits a moment (literally the time it takes to disable wifi and enable it again), enables their wifi connection and is then able to access http resources.
    Something to consider is that this only happens via the ESI redirect from the controller. If the proxy settings are manually inserted into the wifi settings on an iPad or OS X device, this problem does not occur. I could issue a Configuration Profile via our management system but have not for a couple of reasons. 1) It's too easy for a user to simply remove the proxy settings on an iPad and 2) if a user has a Mac or PC laptop, they'd have to be enrolled in our MDM system and we are only enrolling iPads.
     
    I guess my biggest question is this: considering that the Aruba controller appears to be managing the redirect correctly (being able to see the firewall traffic leads me to believe that it is) and that the situation can be remedied by re-establishing the wifi connection, is there something related to the user authentication that could be causing this? The SSID that has this role associated with it uses AD Credentials authenticated against an internal RADIUS server.


  • 2.  RE: ESI ReDirect for HTTP Proxy Fails

    EMPLOYEE
    Posted Aug 18, 2014 02:43 PM

    mbayhylle,

     

    How does the user authenticate to get onto the network?

     



  • 3.  RE: ESI ReDirect for HTTP Proxy Fails

    Posted Aug 18, 2014 02:45 PM

    The user is prompted by the iPad to provide his AD username and password at initial login to the network. Once this step is complete the device stores this login information. The AD Credentials are authenticated against a RADIUS Server.



  • 4.  RE: ESI ReDirect for HTTP Proxy Fails

    EMPLOYEE
    Posted Aug 18, 2014 02:50 PM

    mbayhylle,

     

    It is a 802.1x network, or is it a Captive Portal network?  When the user has a problem, do they have to re-login using the Captive Portal or 802.1x?

     



  • 5.  RE: ESI ReDirect for HTTP Proxy Fails

    Posted Aug 18, 2014 02:53 PM

    It is an 802.1x network. When the problem occurs they simply have to disable their wifi connection and then re-enable it (so essentially re-authenticating using their cached credentials). The rule then begins work correctly.



  • 6.  RE: ESI ReDirect for HTTP Proxy Fails

    EMPLOYEE
    Posted Aug 18, 2014 02:59 PM

    mbayhylle,

     

    Thank you for that information.

     

    Does your device get a specific role when it passes 802.1x authentication, and is that the role that has the ESI redirect command?

    In addition, Does your AAA profile have an initial role and a default 802.1x role?  Can you try changing the initial role for your aaa profile to the production role with the ESI rules in it?  It could be that after inactivity, your user is being changed back to the initial role, and that role does not have the ESI rules.



  • 7.  RE: ESI ReDirect for HTTP Proxy Fails

    Posted Aug 18, 2014 03:01 PM

    Yes, the initial role is different than the 802.1x role. I will test that and see if it helps to resolve this. 



  • 8.  RE: ESI ReDirect for HTTP Proxy Fails

    Posted Aug 18, 2014 04:24 PM

    I made the change to the initial logon role and this does not seem to help.



  • 9.  RE: ESI ReDirect for HTTP Proxy Fails

    EMPLOYEE
    Posted Aug 18, 2014 04:28 PM

    Can you enable debug logging for a user who has the issue?