Choose from several options for complete web, email and data security.
Learn more
Evaluate Websense products by watching demos and installing evaluation software.
Learn how Websense solutions help keep our customer safe, secure and productive
Get information on product updates, support resources and more.
Get the most out of support in five simple steps.
Find tools and assets to help sell Websense solutions.
Stay informed on the latest security exploits, industry news, research, solutions, and more.
We currently have students that connect to the network with computers that are not joined to the domain. They connect through an Aruba wireless system which authenticates through a RADIUS chain which includes a Bradford Network Access Control system and Microsoft IAS. We put the Websense RADIUS agent in the chain, but since the authentication occurs at the network layer 2, the name/ip pair is not available during the authentication process. Once the IAS confirms the username/password, it passes it back to Bradford which determines the VLAN and passes it back to Aruba which assigns the VLAN. Once the machine has been assigned it's VLAN, it obtains it's IP through DHCP on that VLAN. We need a websense XID agent that can read the username/ip pairs from Aruba, Bradford, or even a custom location. Has anyone else come across this problem, and if so, what was your solution?
What is the back end authentication service, Active Directory? You'll want to be integrating with that, not with your middle-men Aruba and Bradford.
At the worst, manual authentication would do the trick although it's annoying. Better case would be using WMI but that requires you to be using the Websense Content Gateway.
We do have a WCG is there a specific KB article you'd recommend for using WMI authentication on a WCG?
thanks,
I've never used it myself so unfortunately not, but I know many other people have it in use and seem to like it. Looking in the config it's actually called IWA (Integrated Windows Authentication).
IWA will allow you to have the browser do the authentication instead of trying to pull it from the backend somewhere.
IWA requires the machines to be joined to the domain -- thanks for checking though. I think we're going to have to live with log on prompts or quick logging student names....
There's NTLM as well which may not require them to be on the domain
NTLM will still prompt the users, which is what he is trying to avoid.
Do you have RADIUS accounting enabled? Where in the chain did you put the WS radius agent?
From looking at the docs quickly, it seems that the WS Radius agent should be able to pick up the IP address from the accounting requests if accounting is enabled.
the chain looks like this: aruba -- wsradius -- bradford nac -- IAS. The IAS verifies the account and passes it back to bradford, bradford says, I recognize this user, put him in vlan xx, websense passes it to aruba who actually puts the machine in the vlan specified by the bradford system. The machine then does DHCP on that VLAN to get it's IP address. So the IP address is obtained after the radius chain is completed.
If I understand this correctly, then when the Aruba sends accounting updates to the IAS, then the WS Radius agent should be able to determine the IP address associated to the username that was authenticated on that same port. This assumes that you have configured the Aruba to send accounting information to IAS.
I have not tried this and am basing it purely on the documentation.
I'll research that a bit and reply back...thank you for the idea!
We pulled the WSRadius agents out of the authentication chain, but left them in the accounting chain, turned accounting on on the aruba controller and are now seeing username/ip combinations in the xid map on the filter service. I'm no longer being prompted on my Iphone....good call mlpotgieter!
