+ Post New Thread
Page 2 of 4 FirstFirst 1234 LastLast
Results 16 to 30 of 47
Wireless Networks Thread, Ruckus and guest access in Technical; well i'm pretty much there with it. the video a few posts up really helped. I have 5 WLAN's. a ...
  1. #16

    Join Date
    Apr 2010
    Location
    Bridgend
    Posts
    22
    Thank Post
    8
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    well i'm pretty much there with it.

    the video a few posts up really helped.

    I have 5 WLAN's. a bog standard WPA2 with MAC filtering for all school devices. schools ios devices are configured via apple configurator with WLAN, proxy and the mcafee firewall certificate which the county insist we use.

    then we have a portal/provisioning WLAN for the site. which handles the zero-it shenanigans and pushes the users to either the staff or students WLANS depending on their AD group membership. windows clients have autodetect settings for wpad and ios users have to manually enter the FDQN to a local IIS serving a .pac

    Finally and this is the stumbling block. the guest wlan. I'm trying to set it up and it it works ish. all the problems lie with ios and the inability to add cetificates and proxy settings to the zero-it mobile.config file. however the wpad deployed doesnt seem too clever on windows either. with ios i can add the .pac path to the WLAN before connecting. when connecting it will sometimes call the captive portal directly, sometimes i'll have to open safari and either type a random url or have to type the fdqn of the ZD activate page. today i felt all smug that it was working. we had to prep 8 netbooks for some training. the first one went in a treat and then it fell apart. they just wouldnt take the wpad. the worst part is these proxy files might be cached somewhere leaving me running around in circles trying to fix it.

    I think i might just create AD users for guests and just assign them login credentials via a laminated card. Just to get the job signed off for half term.

    A side note. we use owncloud to shovel files from ios to windows. works like a bought one

    s1n
    Last edited by s1ndr0me; 19th February 2014 at 09:45 PM.

  2. #17

    seawolf's Avatar
    Join Date
    Jan 2010
    Posts
    969
    Thank Post
    12
    Thanked 283 Times in 217 Posts
    Blog Entries
    1
    Rep Power
    175
    Quote Originally Posted by Sheridan View Post
    I think I'll have to ditch the byod aspect of ruckus - it doesn't seem to work very well. For starters the zero-it part doesn't work on Macs and then the correct WLAN isn't selected. Plus it simply ignores the wpad.dat file that is uploaded to the zonedirector so it means manual proxy details have to be entered - that defeats the purpose a bit.

    Its inconsistent on android devices as well, so I have no faith in rolling this out to staff/students who might be on ipod/ipads/macs/phones etc!

    Has anyone implemented a robust byod system with anything like Aruba or a similar competitor?
    What version of the Ruckus firmware are you currently using and what model of ZD and APs do you have? The ZeroIT works excellently on both iPads and Macs. Ruckus has one of the more robust BYOD setups I've used.

    Everything is likely going to be inconsistent on Android devices if you are using a wide mix of hardware and OS versions...that's what we've found.

  3. #18

    seawolf's Avatar
    Join Date
    Jan 2010
    Posts
    969
    Thank Post
    12
    Thanked 283 Times in 217 Posts
    Blog Entries
    1
    Rep Power
    175
    A bit off topic, but I have to ask.

    Why are so many of you still using an explicit proxy setup rather than a transparent proxy? Using an explicit proxy is an enormous headache, some systems don't play well with it or at all, and as many of you are finding PAC deployment is not very simple or reliable in a BYOD or heterogenous device environment. On the other hand, a transparent proxy eliminates all of those headaches and still ensures that all traffic flows through the correct path (the filter). If you are using an explicit proxy as a form of network security to prevent unauthorised clients form joining, there are better ways to do it including MAC filtering, NPS, Packetfence, or other NAC systems.

    Anyway, off-topic post finished.

  4. 2 Thanks to seawolf:

    s1ndr0me (20th February 2014), zag (24th February 2014)

  5. #19

    Join Date
    Apr 2010
    Location
    Bridgend
    Posts
    22
    Thank Post
    8
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Are you saying?

    Thanks for the reply seawolf,

    I've heard a bit about transparent proxies whilst trawling the boards for ruckus info. we just run a couple of explicit squids that authenticate with the counties ISA server, they take care of firewall/filtering duties. We are tied in with them for years and they are inflexible to say the least. Are you saying that NPS or packetfence act as transparent proxies?

    If you have the time could you explain a bit further?

    many thanks

  6. #20

    seawolf's Avatar
    Join Date
    Jan 2010
    Posts
    969
    Thank Post
    12
    Thanked 283 Times in 217 Posts
    Blog Entries
    1
    Rep Power
    175
    Quote Originally Posted by s1ndr0me View Post
    Thanks for the reply seawolf,

    I've heard a bit about transparent proxies whilst trawling the boards for ruckus info. we just run a couple of explicit squids that authenticate with the counties ISA server, they take care of firewall/filtering duties. We are tied in with them for years and they are inflexible to say the least. Are you saying that NPS or packetfence act as transparent proxies?

    If you have the time could you explain a bit further?

    many thanks
    We use a Transparent Inline Bridge configuration for our web filter, which means that it sits in between the core network switch/router (LAN) and the firewall. So, all traffic HAS to flow through the filter to get from the LAN to the WAN and vice versa. This is a bit different than what some have called a transparent proxy in the past, which was really more of an automatic proxy mode rather than being an inline proxy, because traffic is intercepted and redirected (causing problems with SSL) with that method.

    NAC systems don't act as proxies, they control access onto your network. My comment was more regarding the issue I sometimes see where network managers see explicit proxies as a way to restrict access to the network (or WAN access at least) and that is why they won't look at the transparent inline bridge/proxy option. However, that's not what a proxy is for and using proper NAC such as NPS or packetfence are the proper ways to achieve access control to your network.

  7. #21
    DMcCoy's Avatar
    Join Date
    Oct 2005
    Location
    Isle of Wight
    Posts
    3,450
    Thank Post
    10
    Thanked 493 Times in 433 Posts
    Rep Power
    111
    Quote Originally Posted by seawolf View Post
    My comment was more regarding the issue I sometimes see where network managers see explicit proxies as a way to restrict access to the network (or WAN access at least) and that is why they won't look at the transparent inline bridge/proxy option.
    School network managers in much of the UK will be using explicit proxies because that is the *only* form of internet access they have from their ridiculously overpriced RBC connection. Transparent with a forced upsteam doesn't get you very far these days with so much needing ssl, which you are still forced to proxy upstream...

    Leaving the only way of getting anything sensible working, is having clients set a proxy on their mobile device.

  8. Thanks to DMcCoy from:

    s1ndr0me (20th February 2014)

  9. #22

    Join Date
    Apr 2010
    Location
    Bridgend
    Posts
    22
    Thank Post
    8
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Thanks guys, your help is appreciated. I think I fall into DMcCoy's bracket of users.

    TBH after this morning I've had a guts full. Got in and now cant get the captive portal page up unless all the windows lan settings are unticked including auto detect. once provisioned I then need to go back in and check the auto detect settings again. pain in the ...... probably something to do with the walled garden.

  10. #23

    seawolf's Avatar
    Join Date
    Jan 2010
    Posts
    969
    Thank Post
    12
    Thanked 283 Times in 217 Posts
    Blog Entries
    1
    Rep Power
    175
    Quote Originally Posted by DMcCoy View Post
    School network managers in much of the UK will be using explicit proxies because that is the *only* form of internet access they have from their ridiculously overpriced RBC connection. Transparent with a forced upsteam doesn't get you very far these days with so much needing ssl, which you are still forced to proxy upstream...

    Leaving the only way of getting anything sensible working, is having clients set a proxy on their mobile device.
    Can't comment on the overpriced RBC connections in the UK.

    However, SSL works just fine with a properly configured transparent inline bridge/proxy (no certificate errors). Forced upstream isn't really a "transparent" proxy, it's just an automatic proxy, thus the problems with SSL.

  11. #24
    DMcCoy's Avatar
    Join Date
    Oct 2005
    Location
    Isle of Wight
    Posts
    3,450
    Thank Post
    10
    Thanked 493 Times in 433 Posts
    Rep Power
    111
    Quote Originally Posted by seawolf View Post
    Can't comment on the overpriced RBC connections in the UK.

    However, SSL works just fine with a properly configured transparent inline bridge/proxy
    By doing ssl domain lookup from the cert, like one of the smoothwall options (and other filters), and allowing a *direct* ssl connection avoiding a mitm issue. Can't do that when you *don't* have direct https access to sites...

  12. #25

    seawolf's Avatar
    Join Date
    Jan 2010
    Posts
    969
    Thank Post
    12
    Thanked 283 Times in 217 Posts
    Blog Entries
    1
    Rep Power
    175
    Quote Originally Posted by DMcCoy View Post
    By doing ssl domain lookup from the cert, like one of the smoothwall options (and other filters), and allowing a *direct* ssl connection avoiding a mitm issue. Can't do that when you *don't* have direct https access to sites...
    Sounds like the internet services available for UK schools leave a lot to be desired...

  13. #26
    robjduk's Avatar
    Join Date
    Jun 2011
    Posts
    415
    Thank Post
    11
    Thanked 64 Times in 50 Posts
    Rep Power
    22
    I gave up on Ruckus guest access as it only seems to work if it can be arsed. Works on iPads most the time, macs sometimes, Windows phones with a pause and android phones if the wind is blowing in the right direction. We just made a WLAN with isolated clients and rolled the key out to the students to use. We do use guest access for actual guests to the building though just to keep tabs on it.

  14. #27

    seawolf's Avatar
    Join Date
    Jan 2010
    Posts
    969
    Thank Post
    12
    Thanked 283 Times in 217 Posts
    Blog Entries
    1
    Rep Power
    175
    Quote Originally Posted by robjduk View Post
    I gave up on Ruckus guest access as it only seems to work if it can be arsed. Works on iPads most the time, macs sometimes, Windows phones with a pause and android phones if the wind is blowing in the right direction. We just made a WLAN with isolated clients and rolled the key out to the students to use. We do use guest access for actual guests to the building though just to keep tabs on it.
    What version of Ruckus firmware are you using because Ruckus guest access works fantastically for us. I've set it up so that either IT, reception or the librarian can issue guest passes with ease. It works just fine on iPads, iPhones, Macs, and Windows 7, 8, and 8.1. Haven't tried it on a range of Android devices, but despite the wide range of hardware and OS builds out there with the thousands of possible configurations, it should still work fine on most.

  15. #28
    robjduk's Avatar
    Join Date
    Jun 2011
    Posts
    415
    Thank Post
    11
    Thanked 64 Times in 50 Posts
    Rep Power
    22
    I don't have the version at hand but updated it about 4 weeks ago to the latest version. Sometimes it worked but often it just did not want to know. Also students bringing in Macs with admin passwords they did not know was painful. I think the final straw for me was when quite a few students wanted to use Surface RT's.

  16. #29

    seawolf's Avatar
    Join Date
    Jan 2010
    Posts
    969
    Thank Post
    12
    Thanked 283 Times in 217 Posts
    Blog Entries
    1
    Rep Power
    175
    Quote Originally Posted by robjduk View Post
    I don't have the version at hand but updated it about 4 weeks ago to the latest version. Sometimes it worked but often it just did not want to know. Also students bringing in Macs with admin passwords they did not know was painful. I think the final straw for me was when quite a few students wanted to use Surface RT's.
    I suspect you might be talking about the Zero-IT config rather than the Guest WLAN feature in Ruckus? Otherwise, I don't know why a student lacking an admin password on a computer would have anything to do with it?

  17. #30
    robjduk's Avatar
    Join Date
    Jun 2011
    Posts
    415
    Thank Post
    11
    Thanked 64 Times in 50 Posts
    Rep Power
    22
    ah that sounds about right.

SHARE:
+ Post New Thread
Page 2 of 4 FirstFirst 1234 LastLast

Similar Threads

  1. RUCKUS help - Guest access & the internet via Proxy
    By jamin100 in forum Wireless Networks
    Replies: 24
    Last Post: 15th March 2012, 09:21 AM
  2. Replies: 2
    Last Post: 10th February 2012, 03:53 PM
  3. Ruckus Guest Access
    By Quackers in forum Wireless Networks
    Replies: 5
    Last Post: 6th February 2012, 10:59 AM
  4. Ruckus Wireless - Guest Access from Mac devices
    By Maxell in forum Wireless Networks
    Replies: 0
    Last Post: 2nd November 2011, 02:36 PM
  5. Need help and advice on wireless guest access proxy settings
    By sammy42 in forum Learning Network Manager
    Replies: 4
    Last Post: 6th October 2011, 08:43 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •