The auth in ruckus is authenticating against AD which is working fine. I am stuck on trying to get the smoothwall auth page to display. Ive set up transparent proxies with ssl page with cookie but no luck. Just to make sure ive got it right...
192.168.12.1:80 ¦ everyone, byod-staff ¦ SSL page within session
Ive seen that my test devices are trying to access 192.168.12.1/..../login.asp which i suppose is the login page but nothing is displaying.
Ive not been into guardian to check the new interfaces, ive only been into the web proxy side.
It's your ruckus config....
In guest access on the zonedirector you need to put in exceptions for the smoothwall ips. I suspect you have client isolation on (which is a good idea) but by default the ruckus security blocks ips including the auth page.
Ahhh ok, so if i add 192.168.12.1 and 192.168.16.1 to the security policy and set to.allow it should work. Am i right in thinking this is where the private ip ranges are set to deny?
Yes that's it. It in the guest access tab in ruckus.
Will have a look tomorrow, thanks rob, getting there slowly
I had to allow access from the port2 interface to port 80 and 442 - System - Administration - External Access . Otherwise the SSL page doesnt show. Strange thing is you can ping Google for instance but cant browse until you follow this step.
Right ok. Today i have added 192.168.12.0/22 | Allow and 192.168.16/21 | Allow to Guest Access >> Restricted Subnet Access in my ruckus config.
Thanks to @AliG, ive added in smoothwall System >> Administration >> External Access
Interface | Source | Service | Enabled
Port 1-1_BYOD-Staff | 192.168.12.0/22 | Other web access on HTTP (80) | Enabled
Port 1-1_BYOD-Staff | 192.168.12.0/22 | Other web access on HTTPS (442) | Enabled
Port 1-2_BYOD-Student | 192.168.16.0/21 | other web acess on HTTP (80) | Enabled
Port 1-2_BYOD-Student | 192.168.16.0/21 | other web access on HTTPS (442) | Enabled
This displays the ssl login, which when i use a test login works and i can see them in Services >> Authentication >> User Activity however i cannot browse to any sites.
@robk i have checked Guardian >> Web filter >> location blocking and the 2 locations in there are set to allowed
There must be something i am missing.
Is dns working on the client?
Trying to think what's missing. We don't seem that far off working!
DNS seems to be kinda working. I cannot get to google however i can get to bbc but can get to google via ip address and then search in google. Oh, i cannot get to gmail.com either.
The DNS settings on the client are 18.104.22.168 and 22.214.171.124.
The DNS settings on the Smoothie are 126.96.36.199 and 188.8.131.52.
Ok does nslookup work on the client? To me it sounds like dns is blocked. I added zone bridging rules, but I think in your case I would recommend dns proxy.
For dns proxy you turn the service on and set dns in dhcp to the smoothie ip for the subnet.
nslookup on the client gives:
addresses: 184.108.40.206, 220.127.116.11, 18.104.22.168
Also, i can ping google.co.uk and it pings fine.
Im my Services >> DNS >> DNS Proxy i have got:
Port1 - Main network domain = ticked
Port 1-1_BYOD-Staff = Ticked
Port 1-2_BYOD_Student = Ticked
Forward SRV & SOA Records = Not ticked
Just changed DHCP settings so in Services >> DHCP >> DHCP Services they now read for BYOD-Staff
Primary DNS: 172.16.24.8
Default Gateway: 192.168.12.1
- Tested... nslookup:
cannot find server for address 172.16.24.8
Setting Pri DNS back to 22.214.171.124
Just an update on this...
just tried it on my phone and google works fine however on a Windows XP laptop, it doesn't.... strange??
If you're using IE on the XP laptop it won't support transparent HTTPS connections if HTTPS filtering is turned on for the web proxy auth method. Try using Firefox/Chrome etc and https google/gmail should work.
Have a look at the web filter logs, if it says something along the lines of "Transparent HTTPS connection not supported by web client" then that's the issue.
Working now ive turned off HTTPS.
Thank you all especailly @robk.
Glad to hear its all working! And documented on here to boot.