Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1036
Views
5
Helpful
5
Replies

IronPort WSA 7.5 Authentication

Mustapha Arakji
Level 1
Level 1

‎04-11-2013 03:08 AM

Hi,

I have setup authentication on WSA using NTLM, also the WSA is joined to domain successfully. Authenticaiton works fine, but if i want to prompt the user for a username and password, he should enter the domain/username with the password; if i use only the username without the domain, the authentication fails. Is there any fix for this?

Regards,

Labels:
0 Helpful
5 Replies 5

jness
Level 1
Level 1

‎04-11-2013 03:54 AM

We faced the same issue and our solution was to use an additional proxy port and configure that port to only use basic authentication where you can specify the domain in the identity policy so users wouldn't need to use domain\username for the username since we are only working with a single domain.

0 Helpful

Mustapha Arakji
Level 1
Level 1
In response to jness

‎04-11-2013 04:00 AM

OK, so when you say we used another port, you man an interface on the IronPort or the tcp port number?

Regards,

0 Helpful

Jeffrey Ness
Level 1
Level 1
In response to Mustapha Arakji

‎04-11-2013 04:04 AM

TCP proxy port on the IronPort WSA. In our environment we use 3128 for NTLM or Basic and 3129 for Basic set to our AD domain. Our needs required both scenarios (NLTM & Basic) depending on if the user account was an individual user or a generic account. If you are looking for all users to be prompted via basic you could just change your identity policy to use Basic and set the domain.

Mustapha Arakji
Level 1
Level 1
In response to Jeffrey Ness

‎04-11-2013 04:07 AM

So I have to create two identities? I still need to keep my authentication secure. So i have to "use encrypted HTTPS connection for authentication"

Is that right?

Till now i have tried to create two identities, one with NTLMSSP and one with Basic, if i have explicit proxy, i can define the port, and then i can choose what type of authentication i need. But what if i have transparent proxy?

Also note that in Basic, i will be asked for the pop-up, even if the PC is joined to the domain, which doesn't provide the tansparent authentication!

Regards,

0 Helpful

Jeffrey Ness
Level 1
Level 1
In response to Mustapha Arakji

‎04-14-2013 04:55 PM

You would only need to create 2 identities if you require NTLM for some users and Basic for others. If you want all users to receive the prompt then no you can just change your current identity policy.

Transparent proxy is a bit more limiting, but in 7.5 you can use the AD Agent (although it sounds like you want users to be prompted so this may not be of benefit.)

Your original post said you wanted users to be able to type in their username and password so this would seem to point towards basic. You would probably be best to identify all of your requirements and work with TAC to see if it can be configured to meet your needs.

0 Helpful
Customers Also Viewed These Support Documents