Barracuda web filter

  • 1
  • Question
  • Updated 4 years ago
  • Answered
We've set up a RADIUS server and gotten authentication all set up but now we're running into another issue.   Devices that connect to this SSID are getting a free pass through the web filter we use.  Could this be related to the user that was created to do the AD lookups?
Photo of Keith Vandersluis

Keith Vandersluis

  • 11 Posts
  • 0 Reply Likes

Posted 4 years ago

  • 1
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
How are they authenticating to the filter?

If you are using a separate challenge, it has nothing to do with RADIUS.

If you are attempting to do this transparently based on RADIUS information alone without a separate challenge, this cannot work reliably yet due to issues in HiveOS around making the Framed-IP-Address available in the RADIUS accounting information. These issues relate to the accuracy and timelyness of the information.

There is also typically an identity spoofing issue due to EAP identity privacy where a user can claim to be any other legitimate user on your network. You need to get the real identity somehow or prohibit identity privacy at the RADIUS server.

If Barracuda track based on auth as well as accounting, their product must be able to track based on the Acct-Mult-Session-Id to cope with client roams where the Acct-Session-Id, Called-Station-Id and usually NAS-Identifier differ.

(To work properly, a SSO product must be able to discern the constituent sessions that constitute a clients's connection that all relate back to an original EAP authentication.)
(Edited)
Photo of Keith Vandersluis

Keith Vandersluis

  • 11 Posts
  • 0 Reply Likes
I had presumed that they would authenticate against the filter with their AD credentials.   But since they're getting a free pass this doesn't seem to be the case.  
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Let us take a step back then. There needs to be a mechanism for authentication to take place to the Web filter with session start and IP address information for clients, potentially session stop too. If you just have RADIUS auth and accounting taking place in your environment, nothing integrates this with your Web filter automatically.

This integration can be done with many Web filters but it requires software to plumb it together, and it is complex and nuanced to achieve it in software so many companies who have tried to write it get it wrong. Worse, it gets tricky with APs and switches from some vendors due to issues in their RADIUS implementation.

From a client's perspective, the supplicant just completes 802.1X authentication which gives network access. It does not typically affect anything at a higher level of the stack. There is no session information that can be passed on by a standardised mechanism.
(Edited)