+ Post New Thread
Results 1 to 11 of 11
Netbooks, PDA and Phones Thread, Keeps prompting for authentication for proxy in Technical; We have recently set up an authenticated proxy here, and all devices are happy with it except Apple iPads. Users ...
  1. #1

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    18,164
    Thank Post
    522
    Thanked 2,558 Times in 1,985 Posts
    Blog Entries
    24
    Rep Power
    879

    Keeps prompting for authentication for proxy

    We have recently set up an authenticated proxy here, and all devices are happy with it except Apple iPads.

    Users put their username and password in the proxy settings and for the most part, that works fine. However, randomly, it keeps prompting for them to enter a username and password.

    I've already got the following domains excluded from the need to authenticate:

    .mzstatic.com
    securemetrics.apple.com
    .phobos.apple.com
    .icloud.com
    .itunes.apple.com
    xp.apple.com

    Are there more Apple/iTunes/iPad related addresses I should exclude?

  2. #2

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    18,164
    Thank Post
    522
    Thanked 2,558 Times in 1,985 Posts
    Blog Entries
    24
    Rep Power
    879
    I've now added .apple.com as an exclusion - as there appear to be a pile of domains I'd missed but all of them are under apple.com.

    Lets see if that fixes it.

  3. #3

    jinnantonnixx's Avatar
    Join Date
    Mar 2011
    Location
    In the Calamatorium.
    Posts
    2,028
    Thank Post
    120
    Thanked 513 Times in 347 Posts
    Blog Entries
    2
    Rep Power
    288
    I use a combination of dstdomain and browser headers and combine them in an access URL.

    (Squid 3.1)


    Code:
    acl iTunes_header browser iTunes oscpd QuickTime GCSL GCSP InetURL/1.0 AppleCoreMedia
    acl iTunes_dst dstdomain .apple.com .gcsp.cddbp.net .icloud.com  ax.phobos.apple.com.edgesuite.net .mzstatic.com
    ....
    ....
    
    http_access allow iTunes_header iTunes_dst
    Last edited by jinnantonnixx; 18th June 2013 at 10:02 AM.

  4. #4

    Join Date
    Aug 2012
    Posts
    36
    Thank Post
    0
    Thanked 3 Times in 3 Posts
    Rep Power
    5
    albert.apple.com
    ax.phobos.apple.com
    configuration.apple.com
    securemetrics.apple.com
    p06-fmip.icloud.com
    ax.init.itunes.apple.com
    gs.apple.com
    keyvalueservice.icloud.com
    appldnld.apple.com
    setup.icloud.com
    itunes.com
    icloud.com
    p09-mobilebackup.icloud.com
    gsp1.apple.com
    ax.itunes.apple.com
    p09-quota.icloud.com
    metrics.apple.com
    courier.push.apple.com
    itunes.apple.com
    apple.com

    have you setup a vlan for ipads on wireless and allow that vlan with no authentication but push it through a group like students.

    we have 3vlans for wireless one with authentication for laptops / ipad for staff and ipads for students

  5. #5

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    18,164
    Thank Post
    522
    Thanked 2,558 Times in 1,985 Posts
    Blog Entries
    24
    Rep Power
    879
    There isn't a VLAN for them yet - our wireless will be getting a redesign in summer where things will be split off.

    Not sure what you mean 'allow that vlan with no authentication but push it through a group like students'. The iPads we have here are all individually assigned to staff at the moment, so they put their individual login details in. However, any devices which end up 'floating' will end up with a captive portal for logging in instead when it gets changed.

    Its just these addresses I need to add to get it to ignore auth for the specific addresses.

    Why can't Apple do things properly?!

  6. #6

    jinnantonnixx's Avatar
    Join Date
    Mar 2011
    Location
    In the Calamatorium.
    Posts
    2,028
    Thank Post
    120
    Thanked 513 Times in 347 Posts
    Blog Entries
    2
    Rep Power
    288
    Quote Originally Posted by localzuk View Post
    Its just these addresses I need to add to get it to ignore auth for the specific addresses.

    Why can't Apple do things properly?!
    That alc combo works for us for all our ipads and Macs.

    It's not just Apple, lots of software assumes no proxy is present.

  7. #7

    Join Date
    Aug 2012
    Posts
    36
    Thank Post
    0
    Thanked 3 Times in 3 Posts
    Rep Power
    5
    you will find that some apps will not authenticate because they are not proxy aware..

    to get round this - what are you using for filtering? we use smoothwall and have groups setup staff and students.

    SSID - Staff - VLAN 101 - has no authentication required and its IP range maps to Staff filtering policy group
    SSID - Students - VLAN - 102 - has no authentication required and its IP range maps to Student filtering policy group
    SSID - Wireless - VLAN 103 - NTLM authentication for laptops etc

    it all depends on what you can achieve with your filtering and authentication - if you use the standard captive portal alot of apps will not function as there is no captive portal available to the app

  8. #8

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    18,164
    Thank Post
    522
    Thanked 2,558 Times in 1,985 Posts
    Blog Entries
    24
    Rep Power
    879
    We have SWGfL filtering - we can't adjust filtering to a granular level - ie. different levels for different groups.

    If we shift to a captive portal for all ipads, this would resolve the issue wouldn't it? We can't have zero auth, as we can't then tell who went on what sites.

    Captive portal works for all devices afaik - as you have the proxy as the gateway on the device, and users have to log in via a web browser first, and then all apps just get normal access.

  9. #9

    Join Date
    Aug 2012
    Posts
    36
    Thank Post
    0
    Thanked 3 Times in 3 Posts
    Rep Power
    5
    it depends on what you want to achieve and your network layout - if you set your gateway to the internet filter you obviously limit yourself on accessing network resources using webdav for home drives etc..

    if you are assigning ipads 1:1 you get them to name the device properly and dhcp will pickup the device name - means you track the IP to the user.
    i have not used SWGfL before so cannot confirm if the captive portal will work or not.. the issue arrises when the apps do not know how to redirect to username and password as some are not programmed to understand being behind a proxy. its a trial and error - once you whitelist those domains you have no tractability anyway

  10. #10

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    18,164
    Thank Post
    522
    Thanked 2,558 Times in 1,985 Posts
    Blog Entries
    24
    Rep Power
    879
    Quote Originally Posted by bshingler View Post
    it depends on what you want to achieve and your network layout - if you set your gateway to the internet filter you obviously limit yourself on accessing network resources using webdav for home drives etc..
    We have no need for this - home drives are accessible via our VLE.

    if you are assigning ipads 1:1 you get them to name the device properly and dhcp will pickup the device name - means you track the IP to the user.
    i have not used SWGfL before so cannot confirm if the captive portal will work or not.. the issue arrises when the apps do not know how to redirect to username and password as some are not programmed to understand being behind a proxy. its a trial and error - once you whitelist those domains you have no tractability anyway
    We're not assigning 1:1 - we have no need and no money to do so. iPads are used by a few teachers and the SEN dept here, that's it.

    The captive portal would be on the wireless - not on our filtering. So, people would sign in to use the wireless, and the internet then routed via our onsite proxy.

  11. #11

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    18,164
    Thank Post
    522
    Thanked 2,558 Times in 1,985 Posts
    Blog Entries
    24
    Rep Power
    879
    Seems that's going to be my plan then:

    All iPads and Android devices will have their own VLAN. The VLAN will have a captive portal and it'll be a transparent proxy. Our wireless will log usernames against IPs, and our proxy will log IPs against sites.



SHARE:
+ Post New Thread

Similar Threads

  1. [MS Office - 2010] Prompting for Authentication
    By LeightonJames in forum Office Software
    Replies: 1
    Last Post: 18th October 2012, 01:38 PM
  2. Replies: 11
    Last Post: 30th October 2007, 07:05 PM
  3. Replies: 1
    Last Post: 6th October 2005, 02:49 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •