3 Replies Latest reply on Nov 21, 2016 11:12 AM by luchino 74

    Captive portal methods

    aussiewan

      Hi all

       

      I have been trying to set up a captive portal for an IP range using McAfee Web Gateway 7.2.0.2.0. We require it to be IP based so that it supports non-browser applications, such as iPhone/iPad applications. We want it to be a webpage for user authentication, as that provides a better user experience and doesn't rely on the device supporting particular methods. The hope is that devices that recognise Captive Portals will be able to prompt the user as part of the wireless connection process.

       

      I have imported the Authentication Server (Time/IP based session) rule set from the library as a starting point, and merged some ideas from the Cookie Authentication with Login Page rule set. The rule set bounces to the auth subsection and shows the login page. However, putting in any credentials bounces back to an empty login page. I commented out the location change line in the javascript and monitored what the client was doing (using Google Chrome console, viewing Network traffic) - it submitted the credentials, they were accepted, then it tried to redirect back to the originally requested page. Putting incorrect credentials into the page fails as expected. However it appears that the Authentication Server object isn't storing the user authentication information, so it keeps bouncing back to the login page. To test further, I turned off the rules for the login page and replaced it with an NTLM authentication request, which appeared to work perfectly, however it makes the prompt appear locally on the device in a different way that does not allow us to customise it.

       

      My theory is that because the NTLM authentication happens as part of the same session (via response 407), it is still part of the same cycle and redirects back to the authentication server to save the user information before redirecting to the originally requested webpage. When using a webpage (via response 302) to authenticate, it breaks out of the cycle and can't redirect back through the authentication server properly.

       

      Has anyone succesfully made a Captive Portal in MWG that uses a web-page to collect the user credentials? I have thought that perhaps the coaching system may also do what I want, but I have not looked into that as yet.

       

      Note that the MWG environment is a cluster of 6 servers at the moment, and will soon be 10. This makes using PDStorage a less attractive option due to the time it takes to sync the PDStorage values across the cluster.

       

      Any thoughts or suggestions would be greatly appreciated. I have attached an export of the rule set for anyone who is interested in taking a look.

       

      Regards,

      Philip

        • 1. Re: Captive portal methods
          asabban

          Hello,

           

          I believe you are looking for a rule set that uses

           

          - Time IP based Sessions

          - Login Page instead of "classic" proxy Auth

           

          I have attached an example. I recomment to add it without any modifications and test it with a browser. If it works, go ahead and test with a mobile device. If it still works start doing modifications or combine it with other rules as required.

           

          Since the authentication is pretty complex I strongly recommend to go step by step and do not apply more than a change at a time, as otherwise you will probably have a hard time debugging.

           

          Credits for this rule set go to cnewman who also looks in here from time to time.

           

          Best,

          Andre

           

          Nachricht geändert durch asabban on 28.08.12 02:03:23 CDT
          • 2. Re: Captive portal methods
            aussiewan

            Thanks Andre.

             

            As you suggested, I imported your version and the only thing I changed was the authentication method (so it uses our Active Directory instead of local user database). It worked great! I gradually made changes, and found that the issue appears to be the webpage Collection (we call it a schema, but whatever you want to call the group of webpages that you can assign for blocks, authentication etc). While the page was in the Default collection, it was fine. Even copy/pasting the page code to our custom collection it failed. I have copied the Default collection to a new one so that we can edit it without impacting the original system and will tweak it from there. We wanted to do that anyway to make a mobile-device-friendly template that will adjust width etc to suit smaller screens better.

             

            Thanks so much for your quick and helpful response, Andre! I may still have some hair left at the end of this project thanks to you

            • 3. Re: Captive portal methods
              luchino 74

              Hi Andre,

              I'm new twith the mwg so can you tell if there are a guide for configure mwg the captive portal methods?

              Thank you

              Luca