• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Mixed Authentication/Anonymous

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [Threat Management Gateway (TMG) 2010] >> General >> Mixed Authentication/Anonymous Page: [1]
Login
Message << Older Topic   Newer Topic >>
Mixed Authentication/Anonymous - 7.Dec.2012 3:47:10 AM   
ldoodle

 

Posts: 158
Joined: 21.Mar.2005
From: England
Status: offline
Hiya,

We have a requirement where we want proxy authentication for domain joined clients (both wired and Wi-Fi) and anonymous access for BYOD, such as smartphones/tablets etc. that connect over Wi-Fi only.

Is this possible?

Thanks
Post #: 1
RE: Mixed Authentication/Anonymous - 7.Dec.2012 4:00:26 PM   
ferrix

 

Posts: 547
Joined: 16.Mar.2005
Status: offline
If you assign a different subnet for the anonymous clients, then yes it's possible. Make two access rules, based on the source network.

But if the source network is not distinguishable then the rule matching will fail to do what you want. ISA/TMG web proxy design constrains you here. If an authenticated rule matches first, but the traffic is anonymous, it will hard fail. If an anonymous rule matches first, even if the client supports authentication, the traffic will always be marked anonymous. (Yes, this is stupid).

(in reply to ldoodle)
Post #: 2
RE: Mixed Authentication/Anonymous - 17.Dec.2012 10:51:30 AM   
ldoodle

 

Posts: 158
Joined: 21.Mar.2005
From: England
Status: offline
Thanks ferrix. That's what I thought.

How would one assign a different subnet for anonymous clients (as is all non-domain devices).

(in reply to ferrix)
Post #: 3
RE: Mixed Authentication/Anonymous - 17.Dec.2012 10:59:35 AM   
ferrix

 

Posts: 547
Joined: 16.Mar.2005
Status: offline
That is mostly a question relating to things external to ISA/TMG. Maybe you can set up the wireless access points to NAT the traffic to you from a known IP. Or you can figure out how to segment the DHCP space so only certain IPs are assigned to the wireless clients. Or (infinite possible things) etc.

(in reply to ldoodle)
Post #: 4
RE: Mixed Authentication/Anonymous - 17.Dec.2012 11:02:55 AM   
ldoodle

 

Posts: 158
Joined: 21.Mar.2005
From: England
Status: offline
Flipping this on its head, the only reason we use authentication in TMG is so it logs the username rather than the IP address?

Is there any way of logging the username with no authentication... in other words making everything anonymous again so it 'fixes' the issue for non-domain joined devices - we have a requirement for guest access as well, as in our clients coming to visit us or suppliers doing presentations.

(in reply to ldoodle)
Post #: 5
RE: Mixed Authentication/Anonymous - 17.Dec.2012 11:04:31 AM   
ldoodle

 

Posts: 158
Joined: 21.Mar.2005
From: England
Status: offline
The problem with nat'ing the traffic from the access point is that it would then make all access anonymous, even domain joined devices (company laptops for example) so they would get unlogged web access.

(in reply to ferrix)
Post #: 6
RE: Mixed Authentication/Anonymous - 17.Dec.2012 11:08:45 AM   
ferrix

 

Posts: 547
Joined: 16.Mar.2005
Status: offline
I have been assuming you had separate wireless for the domain joined machines. You certainly could do so if you wanted. Have something strongly keyed for controlled systems, and then another segment with a different SSID for your anons.

(in reply to ldoodle)
Post #: 7

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [Threat Management Gateway (TMG) 2010] >> General >> Mixed Authentication/Anonymous Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts