cancel
Showing results for 
Search instead for 
Did you mean: 
jps
Level 7

mobile devices and authentication, or, how to bypass it

How are people handling mobile devices (iOS specifically, but I'm sure it's pretty universal) on your network? Like most, iOS is ubiquitous in our environment, and will be on the corporate network in a short amount of time.

Here's a little bit about us:

  • Authentication = NTLM
  • iOS clients will not come from dedicated address space
  • This is all about being able to pull a specific users web history if required by HR
  • I fully appreciate the fact that if someone wants to get silly, they can simply switch from wireless to cellular and we'll never see it

As best as I tell, the real options are to bypass authentication based off of client.ip, or user-agent. Client IP is difficult for me, as iOS mingles with Windows users, and user-agent reminds me of whack-a-mole (I'm currently up to 18 different ones, and I've started getting pretty liberal with wildcards).

So, what are people doing? No Internet access? User-agents? Client IP? Letting users deal with the authentication prompts? Something else?

Appreciate the help,

Jim

0 Kudos
14 Replies
mdc
Level 8

Re: mobile devices and authentication, or, how to bypass it

Jim,

Did you find a solution to this?  We also have this issue.

0 Kudos
jps
Level 7

Re: mobile devices and authentication, or, how to bypass it

Not exactly.

I got certificate authentication working with self-signed CA/client certs yesterday, but the results were pretty mixed. Apps like Safari, Mail, and Evernote worked great (after enabling acceptance of 3rd party cookies). Chrome, App Store, and Apple Maps didn't work at all.

I think the way this story ends is with a hybrid approach - authenticate (with certs) where possible, and identify via user-agent what should be bypassed.

I hate the thought of maintaining an ever-growing list of user-agent strings, though...

0 Kudos
mdc
Level 8

Re: mobile devices and authentication, or, how to bypass it

i agree with the user agent lists.

How did you get the cert auth working?  I have imported/configured the rules but am getting stuck at the 'ask user for client cert' rule.

MC

0 Kudos
McAfee Employee

Re: mobile devices and authentication, or, how to bypass it

Hi Mike and Jim,

I have some ideas on this but it really depends on what is attempting to be accomplished.

From what Jim is saying, he wants to do direct proxy auth, and if they fail, do certificate auth. His current method of identifying whether or not someone should perform certificate auth is based on user-agent. This definitley could cause problems for HTTPS connections where the User-Agent isnt always available.

Rather what I suggest doing is, the following.

If the user fails to authenticate via NTLM for example, then redirect them to the "Authentication server" to obtain a certificate and a session. Once they have obtained the certificate and the session they should get prompted much less (it could be none at all).

Attached is a ruleset (2012-11-13_10-39_Certificate Based Authentication - v3.xml) which I have used as a boiler template for getting plain-old certificate auth in place. There is some moving around that needs to happen, but the basics are there. This does not behave as I described above, but if you want to get your feet wet with certificate auth, the attached ruleset should help.

I have another ruleset in the works (which I have not tested -- 2013-03-20_18-21_Failover Auth (proxy auth then cert based auth).xml ) that I will try to work with Jim on that will accomplish what I stated above.

Best,

Jon

0 Kudos
McAfee Employee

Re: mobile devices and authentication, or, how to bypass it

The second ruleset I posted doesnt work (2013-03-20_18-21_Failover Auth (proxy auth then cert based auth).xml (282.2 K)), I'll have to tweak it a bit tomorrow.

Best,

Jon

0 Kudos
phlrnnr
Level 9

Re: mobile devices and authentication, or, how to bypass it

We too are struggling very much right now with the best way to approach iPads and proxy authentication.  It just does not seem to work very well.  It is very hard to identify an iPad from the proxy perspective.  We can't easily put all of these devices on their own VLAN to identify them by client IP, and as Jim said, identifying them by User-Agent is like playing whack-a-mole.  It is a never ending, changing list, and it changes based on potentially each different app that is trying to access the Internet.

iPads seem to present a catch-22.  It would be easiest to bypass auth for them, but they are very difficult to consistently identify.  On the other hand, if you bypass auth, then the organization loses all visibility into employee surfing habits, and end users have found a "workaround" to surf the Internet for free (just get a corporate iPad).

Has anyone come up with some better solutions?

Jon, did you ever get the Failover Auth (proxy auth then cert based auth).xml ruleset working that you mentioned above? 

0 Kudos
McAfee Employee

Re: mobile devices and authentication, or, how to bypass it

Hey Phl,

How are you getting the ICAP traffic to the MWG? Direct Proxy or transparently (WCCP)?

(I asked because it matters in what ruleset I post)

Best,

Jon

0 Kudos
phlrnnr
Level 9

Re: mobile devices and authentication, or, how to bypass it

We aren't using ICAP to get it to the MWG.  Do you mean iPad?

We are using Direct Proxy, using a PAC file.

0 Kudos
McAfee Employee

Re: mobile devices and authentication, or, how to bypass it

Hi Phl,

What I did with jps is we used a separate proxy port to distinguish workstations (which can do NTLM) from the IPADs (or other devices).

So in the rules it was:

proxy.port=9090

then do NTLM

proxy.port=9091

then do CERT AUTH

Is this something that could work? Or would you need something different, like:

Try NTLM, if it fails, do cert authentication?

Best,

Jon

0 Kudos