How are people handling mobile devices (iOS specifically, but I'm sure it's pretty universal) on your network? Like most, iOS is ubiquitous in our environment, and will be on the corporate network in a short amount of time.
Here's a little bit about us:
As best as I tell, the real options are to bypass authentication based off of client.ip, or user-agent. Client IP is difficult for me, as iOS mingles with Windows users, and user-agent reminds me of whack-a-mole (I'm currently up to 18 different ones, and I've started getting pretty liberal with wildcards).
So, what are people doing? No Internet access? User-agents? Client IP? Letting users deal with the authentication prompts? Something else?
Appreciate the help,
I got certificate authentication working with self-signed CA/client certs yesterday, but the results were pretty mixed. Apps like Safari, Mail, and Evernote worked great (after enabling acceptance of 3rd party cookies). Chrome, App Store, and Apple Maps didn't work at all.
I think the way this story ends is with a hybrid approach - authenticate (with certs) where possible, and identify via user-agent what should be bypassed.
I hate the thought of maintaining an ever-growing list of user-agent strings, though...
i agree with the user agent lists.
How did you get the cert auth working? I have imported/configured the rules but am getting stuck at the 'ask user for client cert' rule.
Hi Mike and Jim,
I have some ideas on this but it really depends on what is attempting to be accomplished.
From what Jim is saying, he wants to do direct proxy auth, and if they fail, do certificate auth. His current method of identifying whether or not someone should perform certificate auth is based on user-agent. This definitley could cause problems for HTTPS connections where the User-Agent isnt always available.
Rather what I suggest doing is, the following.
If the user fails to authenticate via NTLM for example, then redirect them to the "Authentication server" to obtain a certificate and a session. Once they have obtained the certificate and the session they should get prompted much less (it could be none at all).
Attached is a ruleset (2012-11-13_10-39_Certificate Based Authentication - v3.xml) which I have used as a boiler template for getting plain-old certificate auth in place. There is some moving around that needs to happen, but the basics are there. This does not behave as I described above, but if you want to get your feet wet with certificate auth, the attached ruleset should help.
I have another ruleset in the works (which I have not tested -- 2013-03-20_18-21_Failover Auth (proxy auth then cert based auth).xml ) that I will try to work with Jim on that will accomplish what I stated above.
How are you getting the ICAP traffic to the MWG? Direct Proxy or transparently (WCCP)?
(I asked because it matters in what ruleset I post)
What I did with jps is we used a separate proxy port to distinguish workstations (which can do NTLM) from the IPADs (or other devices).
So in the rules it was:
then do NTLM
then do CERT AUTH
Is this something that could work? Or would you need something different, like:
Try NTLM, if it fails, do cert authentication?