Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1660
Views
0
Helpful
3
Replies

Cisco WSA & Windows 20H2- Transparent Authentication Failing

KyleHVB
Level 1
Level 1

‎05-27-2021 01:16 PM

Hello,


We are having an issue with our endpoints not authenticating against our WSA.  Only users on the modern versions of Windows (20H2) are getting a login prompt from our WSA.  It's happening almost every time users attempt any sort of internet connection that isn't on any of our allowlists. If anyone has seen this before or could point me in the right direction that would be incredibly helpful.

WSA Version: 11.8.3-018


Thank you.

Labels:
0 Helpful
3 Replies 3

RobinGeers2471
Level 1
Level 1

‎06-07-2021 09:00 AM

Hello,

 

What do you see in the Log Subscription Authentication Framework Logs? 

You can make a TCPdump to see what happens in the authentication process with the Proxy. Compare the not working dump with a working dump to see what's different. 

 

Do you have these workstations in different subnets? If yes, check your identification Profiles if the correct subnets are present.


Regards,

Robin

0 Helpful

KyleHVB
Level 1
Level 1
In response to RobinGeers2471

‎06-09-2021 06:26 AM

Hi Robin,

Thanks for the reply, all endpoints are in the same subnet, so that shouldn't be the issue, when looking at the authentication logs, I see something that looks like Kerberos issues: 

Tue Jun  8 08:33:12 2021 Warning: PROX_AUTH : 7933541 : [3182: DOMAIN.COM]krb5_verify_ap_req2: failed to decrypt ticket

Tue Jun  8 08:33:12 2021 Critical: PROX_AUTH : 7933541 : [3182: DOMAIN.COM]krb5_verify_ap_req2: verify ticket failed

Tue Jun  8 08:45:22 2021 Info: PROX_AUTH : 7944356 : [3168] Final Response from Auth Helper is NA. Authentication failed for IP (10.100.10.147)

Tue Jun  8 09:00:27 2021 Info: PROX_AUTH : 7962229 : [3168] Final Response from Auth Helper is NA. Authentication failed for IP (10.100.10.133)

 

0 Helpful

RobinGeers2471
Level 1
Level 1

‎06-10-2021 02:40 AM

Hi,

 

You can ignore the message "krb5_verify_ap_req2: verify ticket failed". It is intended behavior and has no real performance impact on the authentication process. Unfortunately you can't filter this message out from the proxy logs. A request (CSCvx96104) is running for this.

 

The other message doesn't say much. You can adjust the log level to debug for the proxy log subscription to hopefully to get more details. Also a TCPdump is still usefull to make.

 

Which authentication methods do you allow in your identification profile? 

Are both workstation using the same authentication method? 


Regards,

Robin

0 Helpful
Customers Also Viewed These Support Documents