Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1042
Views
0
Helpful
3
Replies

Transparent NTLM Authentication Cisco CWS and ISR not functioning

cooperwaldon
Level 1
Level 1

‎02-17-2016 12:13 PM - edited ‎03-08-2019 05:38 PM

Hello All,

I am setting up a Transparent proxy using Cisco CWS and an ISR. (Cisco 3925 with version 15.4-3.M3)

I have it mostly functional however the issue that I'm having now is that the transparent NTLM functionality doesn't appear to be working.  When I go to a web page after clearing the ip admission cache I get prompted for a username and password when I use Chrome or IE (I know Firefox doesn't support transparent NTLM).

The LDAP authentication appears to be working fine as it accepts the username and password provided and correctly passes along this information to the CWS towers.  I have also verified that there is a DNS entry that resolves the hostname that we are using "proxy-auth" to 1.1.1.1.

Can anyone suggest any troubleshooting steps or commands that I may have missed?  Everything appears to be working fine except for the client passing the credentials transparently.

ip auth-proxy watch-list enable
ip auth-proxy watch-list expiry-time 5
ip admission virtual-ip 1.1.1.1 virtual-host proxy-auth
ip admission watch-list enable
ip admission watch-list expiry-time 5
ip admission name WEBAUTH ntlm inactivity-time 30 absolute-timer 240 list CWS-AUTH-LOCAL-BYPASS
ip admission name WEBAUTH method-list authentication PROXY-AUTH authorization PROXY-AUTH

Labels:
0 Helpful
3 Replies 3

Edan Mudachi
Cisco Employee
Cisco Employee

‎02-17-2016 12:24 PM

Hi Cooper,

   I think it would be most beneficial for you to open a TAC case on this issue, considering the troubleshooting required. Please include a copy of your show-tech, and if possible a packet capture on the client and ISR while reproducing the issue.

Sincerely,

Edan Mudachi

0 Helpful

Ashok Sakthivel
Cisco Employee
Cisco Employee

‎02-17-2016 05:31 PM

Hi Cooper,

Can you please share #sh run | sec ip admission .

Thanks and Regards,

Ashok Sakthivel.

0 Helpful

cooperwaldon
Level 1
Level 1
In response to Ashok Sakthivel

‎02-18-2016 05:37 AM

Router#show run | sec ip admission
ip admission virtual-ip 1.1.1.1 virtual-host proxy-auth
ip admission watch-list enable
ip admission watch-list expiry-time 5
ip admission name WEBAUTH ntlm inactivity-time 30 absolute-timer 240 list CWS-AUTH-LOCAL-BYPASS
ip admission name WEBAUTH method-list authentication PROXY-AUTH authorization PROXY-AUTH
ip admission WEBAUTH

0 Helpful
Customers Also Viewed These Support Documents