Wireless Access

Hi Guys,

I wondered if anyone might be able to add any ideas for a problem I am having.  I have a school that uses a proxy server for internet access, a Microsoft TMG server.  PC's on the LAN have no issue accesing the internet, they pass through their locally logged on user and access the internet, however NON-Domain machines like ipads get prompted all the time when connecting to the internet.

The users are finding this a problem as it is asking for credentials alot.

Has anyone had to deal with this before and if so what was the resolution?

Cheers

Dave

You could:

(1) Configure a separate WLAN for non-domain devices that put traffic on a VLAN that is not authenticated by the proxy or:

(2) Configure a rule on your radius server to detect non-domain devices and put them into a VLAN that is not authenticated by the proxy.

Thanks for the reply, yes this is what i thought of, but the school needs detailed records of ho is accessing what! this is where the problem lies.

I was hoping somone might have used a particular proxy that perhaps has a long session timeout or somthing allowing users to only have to auth at the start of the day for instance.

Dave_Stern,

Are you in the market for a proxy that has that functionality, or how to make it work with your existing proxy?  It would narrow down the answers from your audience to something that you would find useful.

I am open to suggestions!

They currently have a TMG, if there is a way to make this work then fine, if others have a suggestion about other proxies they use, thats also fine!

Dave

I've hit this with Academia lots of times in the UK. Proxies (i.e. REAL proxies, looking for proxy traffic are a pain in the !*£#).

One thing we've done a couple of times is as follows...

As CJ suggests, create another VLAN for starters, and associate this service with that VLAN. On the TMG, add a new interface (with IP address/subnet). If it's a REAL server, this depends on you having another NIC. If it's a ESXi or similar, the host normally has spare NICs in my experience. Make the TMG the default gateway on the VLAN, and enable the policies on the TMG to route traffic in from that new NIC IP/subnet (and NOT auth it), and apply content control as liked. But, keep the interface configuration set so it doesn't NEED to see proxy traffic, just NORMAL HTTP/HTTPS. Then it's just a case of applying the firewall roles on your controller for this service as you like, and supplying DHCP somewhere. Oh, the TMG will probably need to NAT too.

I don't pretend to have a full "guide" for how to do the TMG part. Normally, a Microsoft knowledgable customer can get this done. Either that, or have a look around Technet/Google?

Just a thought...

Thanks, I think this is going to be the only solution. 

Thanks for the responses.

Cheers

Dave

No problem Dave. Good luck with it.

For what it's worth Microsoft TMG is horrible in my opinion. It can work, but it seems to enjoy a fight. I understand why schools use it as there's a natural overlap in terms of internal skill set to support.

Having said that, not sure if I hate TMG or Smoothwall more!!!

All the best.