Smoothwall content filter with bluesocket wireless

[ICTNUT]

Hello people,

as the title suggests we have a smoothwall content filter and we are also using a bluesockt wireless setup.

What I want to know id if anyone has setup thier smoothwall to allow bluesocket web access but still have it filtered?

OUr setup is as follows:

BlueSocket : LDAP / Radius authentication using web portal for login information or machine based authentication.

Smoothwall : LDAP / AD authentication (not at the office but I think ident with terminal services)

I can get the wireless clients to connect to the network and authenticate no problem this issue is that a username and password is NOT being password to the smoothwall and content filtering fails so user are unable to browse.

How to setup smoothwall so that the wireless clients can surf the web but still be filtered?

Answers on a post card please......

[Ric_]

It works for me... my users are using NTLM pass-thru to AD authentication. Mobile Gaurdian is now being used to set proxy details too.

Of course, these are managed computers. I've got to set up the whole captive-portal style thing and I'm leaning towards AD auth through a web page... the users will then get passed to a VLAN which I'll put through a specific port on my UTM and just filter ALL the traffic.

[ICTNUT]

Ric_: Where are you setting the NTLM pass-thru as I am sure if I can do this it will all work also but I must be blind as I cannot see where it is set?

[ssiruuk2]

Ric_: Where are you setting the NTLM pass-thru as I am sure if I can do this it will all work also but I must be blind as I cannot see where it is set?

If your using ident in terminal services compat mode aren't you already using NTLM ?

If your wirless users are on unmanaged machines you will have to use either the ssl login page option or rely on the pop up window that the smoothwall will give your users if it can't authenticate them automatically. I found both these worked fine with Windows clients but Mac did not get on well at all (SSL login didn't work and the pop up window was a bit flakey sometimes repeatedly asking for credentials when clicking on links) - for now our guest wirless are not authenticated as a result.

[Ric_]

Ric_: Where are you setting the NTLM pass-thru as I am sure if I can do this it will all work also but I must be blind as I cannot see where it is set?

On your Bluesecure controller, go to 'User Authentication' -> 'Authentication Server' -> 'Create... Transparent NTLM Windows Authentication'

Fill in the relevant domain controller details and in the drop down box named 'or using LDAP/Active Directory server' simply select your AD authentication settings.

It's all in the BlueSocket training materials that are available off the support pages of their website (along with lots of other good stuff ).

[ICTNUT]

It works for me... my users are using NTLM pass-thru to AD authentication. Mobile Gaurdian is now being used to set proxy details too.

Of course, these are managed computers. I've got to set up the whole captive-portal style thing and I'm leaning towards AD auth through a web page... the users will then get passed to a VLAN which I'll put through a specific port on my UTM and just filter ALL the traffic.

I have setup AD (transparent NTLM) auth through the SSL web page on the bluesocket and authentication works (these are unmanaged laptops and mobile devices).

On the status page for the bluesocket I can see the users that have authenticated but they cannot surf, Smoothwall is still coming back with unknown username or password and tries to stick them in the unatuhenticated users which I have setup as a default block everything.

See that the bluesocket bit is ok I will assume that there is still something I need to do on the smoothwall....

[Ric_]

Are you using the Smoothie as a transparent proxy? IIRC a transparent proxy cannot authenticate users.

This is why I plan to do it the why I describe above. Dump the unmanaged devices onto a different VLAN with only access to the Smoothie box and then tell Smoothie to act as a transparent proxy on that VLAN, applying a strict filtering policy.

[ICTNUT]

Are you using the Smoothie as a transparent proxy? IIRC a transparent proxy cannot authenticate users.

This is why I plan to do it the why I describe above. Dump the unmanaged devices onto a different VLAN with only access to the Smoothie box and then tell Smoothie to act as a transparent proxy on that VLAN, applying a strict filtering policy.

Nope not using smootie as a transparent proxy, using NTLM Identification (Terminal Services compatibility mode)

So my next question would be how do you have the smoothie setup with more than one authentication method?

We do want to be able to log all the kids and thier access and would like to do the same for the wireless access but if that is not possible just making sure that the wirless internet access is filtered (strict) would suffice.

[tom_newton]

Oz, you can only use a single authtype at the moment (though this is changing).

Call me (back Friday) or RobF (0113 3874181, in Tomorrow all day AFAIK) and we'll have a poke about.

[ICTNUT]

Will do :-)

[Ric_]

@ICTNUT: If the users are on unmangaed machines, will NTLM (or other types of) authentication work?

If Smoothie acts as a transparent proxy, you will log all the IPs of the users and you can cross reference that with your ClueSocket logs. A PITA but you can still find those little darlings that are looking for pr0n.

[ICTNUT]

@ICTNUT: If the users are on unmangaed machines, will NTLM (or other types of) authentication work?

If Smoothie acts as a transparent proxy, you will log all the IPs of the users and you can cross reference that with your ClueSocket logs. A PITA but you can still find those little darlings that are looking for pr0n.

Hmm thats a good point, I have a script that runs which will only allow a single logon instance for any student or staff with the time, date, IP, and pc name being logged to a central database so finding out who did what is not really going to be that much of an issue.

I will have a play and let you know.

[ICTNUT]

Where on the smoothie do we set transparent proxy then......?

[Ric_]

Where on the smoothie do we set transparent proxy then......?

Gaurdian -> Web Proxy

Just give me remote access to your systems and I'll set it up for you shall I?

[ICTNUT]

Error - NTLM in Terminal Services compatibility mode cannot be used with 'Transparent' enabled

Which one should I set it to then?

Ident by IP??