+ Post New Thread
Results 1 to 15 of 15
Wireless Networks Thread, Smoothwall and Meru Wireless Network in Technical; We have built a meru wireless network with smoothwall filtering and we are now experimenting with the best way to ...
  1. #1

    Join Date
    Jun 2011
    Location
    Midlothian
    Posts
    5
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Smoothwall and Meru Wireless Network

    We have built a meru wireless network with smoothwall filtering and we are now experimenting with the best way to manage school owned windows and IOS clients and BYOD. Anybody got this sorted yet?

    Our current issues revolve around...
    Choosing which authentication method is used for each group of clients
    Transparent and non-transparent proxies
    Managing W7 Starter netbooks
    Managing Ipad & Ipod Touches
    Guest users
    Last edited by tommylawson; 9th January 2013 at 04:44 PM.

  2. #2
    drewp's Avatar
    Join Date
    Sep 2007
    Posts
    98
    Thank Post
    38
    Thanked 5 Times in 3 Posts
    Rep Power
    15
    Setup a transparent proxy server with SSL cookie authentication in SmoothWall, working well for us.

    I don’t think there is much management of personal devices that you could do. Meraki offer a free Mobile Device Management system which you could use to manage your school owned devices with.

  3. #3

    Join Date
    May 2007
    Location
    London
    Posts
    224
    Thank Post
    6
    Thanked 13 Times in 11 Posts
    Rep Power
    18
    We have WPAD forcing proxy settings into Windows laptops etc in our Boarding House (Meru wireless) but things like iPads need the proxy settings entering manually, as the network these things reside on has been isolated from the main network with ACL policies, breaking transparent authentication.

  4. #4

    Join Date
    Dec 2009
    Posts
    914
    Thank Post
    98
    Thanked 185 Times in 160 Posts
    Rep Power
    55
    We have 5 SSID's (Curriculum, iOS, BYOD, Admin, Guest) on our wireless (Ruckus) all on their own VLAN (makes it much easier for setting up locations, segregating traffic etc).

    Curriculum is school owned laptops and windows devices (so all on the domain) which all pick up the non-transparent proxy settings from group policy.

    iOS is for school owned iOS devices and is transparently authenticated against a location which we have setup a seperate filtering policy for (so we can get apps working easier).

    Admin is for admins and we transparently filter that as a 'whitelist all'.

    BYOD is for staff and KS5 personal devices (mix of phones, tablets, laptops etc) and this is transparently set to redirect to SSL login page (with session cookie), they get filtered appropriately to what they login as. We have basically said we won't support apps on the BYOD SSID, if they work they work, if they dont then thats unfortunate but we don't have the time to get every app working for every person. This is different on the iOS SSID which is why we filter it differently.

    Just a quick insight into how we work, it is going well and to be honest, we couldn't think of many better ways to do it.

    The issue with iOS devices (unsure if this has changed in a recent update) is that apps dont always pick up the proxy settings, some will ignore them and try to access the net directly, bypassing your filter if it isnt inline. Your also unable to lock down iOS wifi settings, so someone can just come along and turn off the proxy anyway. We found the best way to get this to work was to transparently filter the iOS devices, eliminating the need for the proxy settings to be used.....as i say, 'global proxy' might work differently which I believe can now be rolled out using MDM but even then, we've found most MDM solutions really dont work in the way we would want them to, and are expensive for what they do (AirWatch for example).
    Last edited by RTFM; 17th January 2013 at 09:02 AM.

  5. #5
    Tsonga's Avatar
    Join Date
    Oct 2012
    Location
    Dorset
    Posts
    155
    Thank Post
    9
    Thanked 19 Times in 16 Posts
    Rep Power
    8
    Quote Originally Posted by RTFM View Post
    We have 5 SSID's (Curriculum, iOS, BYOD, Admin, Guest) on our wireless (Ruckus) all on their own VLAN (makes it much easier for setting up locations, segregating traffic etc).

    Curriculum is school owned laptops and windows devices (so all on the domain) which all pick up the non-transparent proxy settings from group policy.

    iOS is for school owned iOS devices and is transparently authenticated against a location which we have setup a seperate filtering policy for (so we can get apps working easier).

    Admin is for admins and we transparently filter that as a 'whitelist all'.

    BYOD is for staff and KS5 personal devices (mix of phones, tablets, laptops etc) and this is transparently set to redirect to SSL login page (with session cookie), they get filtered appropriately to what they login as. We have basically said we won't support apps on the BYOD SSID, if they work they work, if they dont then thats unfortunate but we don't have the time to get every app working for every person. This is different on the iOS SSID which is why we filter it differently.

    Just a quick insight into how we work, it is going well and to be honest, we couldn't think of many better ways to do it.

    The issue with iOS devices (unsure if this has changed in a recent update) is that apps dont always pick up the proxy settings, some will ignore them and try to access the net directly, bypassing your filter if it isnt inline. Your also unable to lock down iOS wifi settings, so someone can just come along and turn off the proxy anyway. We found the best way to get this to work was to transparently filter the iOS devices, eliminating the need for the proxy settings to be used.....as i say, 'global proxy' might work differently which I believe can now be rolled out using MDM but even then, we've found most MDM solutions really dont work in the way we would want them to, and are expensive for what they do (AirWatch for example).
    This was exactly what I was aiming for in my previous school and I couldn't work out a better way to do it. Do you also use the guest access through Ruckus?

  6. #6

    Join Date
    Dec 2009
    Posts
    914
    Thank Post
    98
    Thanked 185 Times in 160 Posts
    Rep Power
    55
    Quote Originally Posted by Tsonga View Post
    This was exactly what I was aiming for in my previous school and I couldn't work out a better way to do it. Do you also use the guest access through Ruckus?
    We don't but we will be doing. It's easy enough for an end user (receptionist or someone) to login to the portal and print off some temporary keys (or 100 and have them saved somewhere)

  7. #7
    Mr_P's Avatar
    Join Date
    Mar 2009
    Location
    London
    Posts
    11
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Quote Originally Posted by drewp View Post
    Setup a transparent proxy server with SSL cookie authentication in SmoothWall, working well for us.

    I don’t think there is much management of personal devices that you could do. Meraki offer a free Mobile Device Management system which you could use to manage your school owned devices with.
    Make sure you use the cookie option as the other will timeout on you pretty quickly.

    The login page you get works with most browsers, but we have issues with Safari with it. You can customize it easily.

  8. #8

    Join Date
    Dec 2009
    Posts
    914
    Thank Post
    98
    Thanked 185 Times in 160 Posts
    Rep Power
    55
    Quote Originally Posted by Mr_P View Post
    Make sure you use the cookie option as the other will timeout on you pretty quickly.

    The login page you get works with most browsers, but we have issues with Safari with it. You can customize it easily.
    Yeah it doesnt work with Safari on iOS devices, we have advised users to download Chrome

  9. #9

    Join Date
    Jun 2009
    Location
    North
    Posts
    114
    Thank Post
    28
    Thanked 17 Times in 17 Posts
    Rep Power
    16
    If anyone has any android devices you will need to add the proxy in manually to get things like the play store working even if you are filtering using ident by location in smoothwall.

  10. #10
    Tsonga's Avatar
    Join Date
    Oct 2012
    Location
    Dorset
    Posts
    155
    Thank Post
    9
    Thanked 19 Times in 16 Posts
    Rep Power
    8
    Quote Originally Posted by RTFM View Post
    We don't but we will be doing. It's easy enough for an end user (receptionist or someone) to login to the portal and print off some temporary keys (or 100 and have them saved somewhere)
    On a seperate VLAN?

    How would smoothwall handle this if you are currently redirecting BYOD (so.....unautheticated IPs) to the SSL. Surley guest access would just be redirected there as well.....

    ...saying that, answering my own question, you could make that VLAN push out a different WPAD that would give out the port of a transparent level proxy, which would be assigned a filtering level.

  11. #11

    Join Date
    Dec 2009
    Posts
    914
    Thank Post
    98
    Thanked 185 Times in 160 Posts
    Rep Power
    55
    Quote Originally Posted by Tsonga View Post
    On a seperate VLAN?

    How would smoothwall handle this if you are currently redirecting BYOD (so.....unautheticated IPs) to the SSL. Surley guest access would just be redirected there as well.....

    ...saying that, answering my own question, you could make that VLAN push out a different WPAD that would give out the port of a transparent level proxy, which would be assigned a filtering level.
    Ruckus is handling generation of keys to the SSID, once connected your getting an IP we know about from our BYOD SSID and we'd transparently proxy that against a location (so the entire range for that VLAN would be set as a location in Smoothwall). That location would then either be filtered as something we already do (key stage 3 for example) which is fairly strict in terms of what you can access, or you setup a new BYOD filter which you can restrict / allow stuff to seperately from everyone else depending on what it is you are using it for at the time....

  12. Thanks to RTFM from:

    Tsonga (18th January 2013)

  13. #12

    Join Date
    Jun 2009
    Location
    North
    Posts
    114
    Thank Post
    28
    Thanked 17 Times in 17 Posts
    Rep Power
    16
    Quote Originally Posted by Tsonga View Post
    On a seperate VLAN?

    How would smoothwall handle this if you are currently redirecting BYOD (so.....unautheticated IPs) to the SSL. Surley guest access would just be redirected there as well.....

    ...saying that, answering my own question, you could make that VLAN push out a different WPAD that would give out the port of a transparent level proxy, which would be assigned a filtering level.
    No sure what you are asking here? If they are on a separate VLANS the location is identified by the IP range of the VLAN, this is created as a Location in smoothwall for example 10.149.10.x to 10.149.10.x. Then setup as a transparent proxy and the method for authentication is a redirect to an SSL login page. No need for proxy settings in the device or messing with WPAD.

    Is this how you are doing it RTFM?

  14. Thanks to ict_support from:

    Tsonga (18th January 2013)

  15. #13

    Join Date
    Oct 2007
    Location
    Northamptonshire
    Posts
    315
    Thank Post
    22
    Thanked 83 Times in 70 Posts
    Rep Power
    45
    To be honest you shouldn't even need to create a separate location in Smoothwall for the VLAN unless you want to exclude specific filters etc. Normally you'd have the VLAN as another interface on Smoothwall. We have transparent proxy set up with no authentication on our Visitor VLAN (with unauthenticated requests set to use our Visitor web filter policy). Ruckus is set up for guest access mode and reception staff can login into the Ruckus portal (using their AD login) to generate and print off guest passcodes with instructions.

    We have a separate BYOD VLAN on another Smoothwall interface using transparent proxy with SSL Login (Cookie mode authentication). This applies the filter policies the Student/Staff normally gets. This seems to work fine for me on iOS devices using Safari as long as you apply the iOS hotfix or use a signed SSL certificate.

  16. Thanks to Ashm from:

    Tsonga (18th January 2013)

  17. #14
    Tsonga's Avatar
    Join Date
    Oct 2012
    Location
    Dorset
    Posts
    155
    Thank Post
    9
    Thanked 19 Times in 16 Posts
    Rep Power
    8
    To be honest I think I have simply hit my knowledge barrier. I'm not really asking questions from a practical point of view, more to further my own understanding.

    I hadn't though of the location setup, but I understand how that would work. In terms of interface, would you make the VLAN have a different default gateway (as associated with the interface)? What does smoothwall have in place to handle separate interfaces?

  18. #15

    Join Date
    Oct 2007
    Location
    Northamptonshire
    Posts
    315
    Thank Post
    22
    Thanked 83 Times in 70 Posts
    Rep Power
    45
    If smoothwall is set up to be the transparent proxy for the VLAN, then the Smoothwall IP for that interface would be the default gateway for the clients.

    You could either use separate network ports on the Smoothwall server as separate interfaces (VLANs mapped to specific ports on the switch it connects to) or you set the port up as a trunked port on the switch with multiple VLANs and then use the "Virtual LAN Adaptors" option to create tagged interfaces in Smoothwall that map to the relevant VLANs.



SHARE:
+ Post New Thread

Similar Threads

  1. Setting up home wireless network with MAC and PC..?
    By tosca925 in forum General Chat
    Replies: 6
    Last Post: 21st November 2011, 05:39 PM
  2. Monitoring and managing your wireless network
    By jonathan.lees in forum Wireless Networks
    Replies: 2
    Last Post: 3rd December 2007, 05:55 PM
  3. 2 wireless networks and wired network
    By in forum Network and Classroom Management
    Replies: 9
    Last Post: 23rd November 2007, 02:12 PM
  4. Wireless networks and large groups of laptops
    By maniac in forum Wireless Networks
    Replies: 33
    Last Post: 8th February 2007, 11:52 PM
  5. wireless network card and window 98
    By Uraken in forum Hardware
    Replies: 3
    Last Post: 17th October 2006, 12:36 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •