Problem
On BYOD networks with many different types of devices including game consoles, using the SSL Login page to authenticate users can experience issues when devices that are not capable of showing the SSL Login access the network.
Issue
Devices that are not logged in might be blocked from otherwise allowed traffic. As device applications will retry connections, this can result in large amounts of traffic being blocked, causing problems with performance.
Resolution
To resolve this, there are multiple tools that can be used, often in conjunction with each other. Contact Smoothwall Support because modifications to the authentication scheme on the BYOD network should be considered, and support can assist with advice on the best way forward, should that be the case. The various tools that can be used are:
RADIUS authentication on BYOD
While not all devices are capable of using 802.1x authentication, the method here will allow users to login and authenticate to Smoothwall at the same time that they login to the BYOD WiFi. This will avoid any authentication issues with apps and services. The RADIUS method works in conjunction with the SSL Login page, so both can be used on the same BYOD. Devices using 802.1x logins will never get the login page, while devices that do not connect using the 802.1x WiFi SSID will see the login page.
Drop connection blockpage
Smoothwall can drop a connection to the web filter, rather than displaying a blockpage. This can be useful in BYOD networks, where devices might try to access blocked resources continuously. Often apps in the background will try to perform status updates or similar, which might result in a large amount of traffic getting blocked, causing performance issues on the network.
Smoothwall has added a new tool to use in those situations. The option to drop a connection rather than showing a blockpage. By identifying destinations or sources that are getting blocked excessively and configuring a drop connection instead of showing a blockpage, will prevent resources being consumed by the blockpage server.
To configure a drop connection blockpage, use the policy wizard in "Guardian - Blockpages". The action step has the option to drop connection instead of showing a specific blockpage:
Only block outside the "Sandbox"
Another option, to add to the toolbox is the strategy to have access that allows unauthenticated access to the approved categories and sites. Only when the client moves outside this sandbox will the client get a blockpage and be asked to login to proceed.
This method reduces login and authentication issues but user identification might not happen inside the "sandbox" or unauthenticated domains.
This method can also be used for shared iOS devices like iPads. Make sure unauthenticated access to all resources needed during school has been configured, and anyone can pickup an iPad and access school resources. As soon as the user moves outside this sandbox, they will be asked to login to proceed.