Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1801
Views
4
Helpful
5
Replies

Macbook not able do transparent authentication

waqas gondal
Level 1
Level 1

‎10-09-2014 12:03 PM

Hi,

 

I have a WSA and I am trying to test connectivity with a macbook pro.

 

What I would like is for it to be completely transparent for the user where the AD credentials are passed to the Ironport without having to be entered in the browser. However it seems that either the Macbook is not able to pass the credentials to Ironport or the something needs to be done on the ironport. When I test the authentication realm settings on the Ironport everything is successful and I have AD agent enabled for transparent user identification.

 

The only thing I can see in the logs of the Ironport are that they don't see a username when the client tries to passthrough. Here is a copy paste of the logs from when I open safari:

#Fields: %t %e %a %w/%h %s %2r %A %H/%d %c %D %Xr %?BLOCK_SUSPECT_USER_AGENT,MONITOR_SUSPECT_USER_AGENT?%<User-Agent:%!%-%. %u
1412884849.093 240 10.186.49.69 TCP_DENIED_SSL/200 0 TCP_CONNECT 12.129.16.124:443 - DIRECT/12.129.16.124 - DECRYPT_ADMIN_2-NONE-lll_Corp_Identity-NONE-NONE-NONE-DefaultGroup <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,-,"-","-"> - -
1412884849.111 0 10.186.49.69 TCP_DENIED_SSL/307 0 GET https://12.129.16.124:443/ - NONE/- - OTHER-NONE-lll_Corp_Identity-NONE-NONE-NONE-NONE <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,-,"-","-"> - "Cisco AnyConnect VPN Agent for Mac OS X 3.0.08057, AnyConnect Agent 3.0.08057"
1412884849.148 0 10.186.49.69 TCP_DENIED/307 0 GET http://12.129.16.124/ - NONE/- - OTHER-NONE-lll_Corp_Identity-NONE-NONE-NONE-NONE <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,-,"-","-"> - "Cisco AnyConnect VPN Agent for Mac OS X 3.0.08057, AnyConnect Agent 3.0.08057"
1412884859.634 460 10.186.49.69 TCP_DENIED_SSL/200 0 TCP_CONNECT 12.129.16.124:443 - DIRECT/12.129.16.124 - DECRYPT_ADMIN_2-NONE-lll_Corp_Identity-NONE-NONE-NONE-DefaultGroup <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,-,"-","-"> - -
1412884859.653 0 10.186.49.69 TCP_DENIED_SSL/307 0 GET https://12.129.16.124:443/ - NONE/- - OTHER-NONE-lll_Corp_Identity-NONE-NONE-NONE-NONE <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,-,"-","-"> - "Cisco AnyConnect VPN Agent for Mac OS X 3.0.08057, AnyConnect Agent 3.0.08057"
1412884859.690 0 10.186.49.69 TCP_DENIED/307 0 GET http://12.129.16.124/ - NONE/- - OTHER-NONE-lll_Corp_Identity-NONE-NONE-NONE-NONE <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,-,"-","-"> - "Cisco AnyConnect VPN Agent for Mac OS X 3.0.08057, AnyConnect Agent 3.0.08057"
1412884863.430 0 10.186.49.69 TCP_DENIED/307 0 GET http://www.apple.com/ - NONE/- - OTHER-NONE-lll_Corp_Identity-NONE-NONE-NONE-NONE <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,-,"-","-"> - "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/536.30.1 (KHTML, like Gecko) Version/6.0.5 Safari/536.30.1"
1412884863.447 0 10.186.49.69 TCP_DENIED/401 0 GET http://sscproxy/B0001D0000N0001F0000S0000R0004/http://www.apple.com/ - NONE/- - OTHER-NONE-NONE-NONE-NONE-NONE-NONE <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,-,"-","-"> - "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/536.30.1 (KHTML, like Gecko) Version/6.0.5 Safari/536.30.1"
1412884869.914 197 10.186.49.69 TCP_DENIED_SSL/200 0 TCP_CONNECT 12.129.16.124:443 - DIRECT/12.129.16.124 - DECRYPT_ADMIN_2-NONE-lll_Corp_Identity-NONE-NONE-NONE-DefaultGroup <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,-,"-","-"> - -
1412884869.932 0 10.186.49.69 TCP_DENIED_SSL/307 0 GET https://12.129.16.124:443/ - NONE/- - OTHER-NONE-lll_Corp_Identity-NONE-NONE-NONE-NONE <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,-,"-","-"> - "Cisco AnyConnect VPN Agent for Mac OS X 3.0.08057, AnyConnect Agent 3.0.08057"
1412884870.011 0 10.186.49.69 TCP_DENIED/307 0 GET http://12.129.16.124/ - NONE/- - OTHER-NONE-lll_Corp_Identity-NONE-NONE-NONE-NONE <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,-,"-","-"> - "Cisco AnyConnect VPN Agent for Mac OS X 3.0.08057, AnyConnect Agent 3.0.08057"
1412884880.233 197 10.186.49.69 TCP_DENIED_SSL/200 0 TCP_CONNECT 12.129.16.124:443 - DIRECT/12.129.16.124 - DECRYPT_ADMIN_2-NONE-lll_Corp_Identity-NONE-NONE-NONE-DefaultGroup <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,-,"-","-"> - -
1412884880.252 0 10.186.49.69 TCP_DENIED_SSL/307 0 GET https://12.129.16.124:443/ - NONE/- - OTHER-NONE-lll_Corp_Identity-NONE-NONE-NONE-NONE <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,-,"-","-"> - "Cisco AnyConnect VPN Agent for Mac OS X 3.0.08057, AnyConnect Agent 3.0.08057"
1412884880.293 0 10.186.49.69 TCP_DENIED/307 0 GET http://12.129.16.124/ - NONE/- - OTHER-NONE-lll_Corp_Identity-NONE-NONE-NONE-NONE <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,-,"-","-"> - "Cisco AnyConnect VPN Agent for Mac OS X 3.0.08057, AnyConnect Agent 3.0.08057"

 

Any idea where I could start troubleshooting. 

Labels:
0 Helpful
5 Replies 5

Tim Glen
Cisco Employee
Cisco Employee

‎10-22-2014 09:24 AM

To the best of my knowledge, Mac's are not able to transparently pass credentials to the WSA like Windows PC's are.

In my Identities I've had to click Support Guest Privileges if Transparent user identification fails. 

 

waqas gondal
Level 1
Level 1
In response to Tim Glen

‎10-22-2014 12:02 PM

Thanks

0 Helpful

Porfirio Alvarado
Level 1
Level 1
In response to Tim Glen

‎10-22-2014 07:15 PM

Tim, Question about using Guest Privileges if i have a policy to have users authentication to access  a website and to keep users with out a valid account from reaching it. Does enabling Guest access allows users that do not have a valid account to access the site? Or does it stop from prompting the user again to authenticate.

 

 

0 Helpful

Tim Glen
Cisco Employee
Cisco Employee
In response to Porfirio Alvarado

‎10-28-2014 06:06 PM

To the best of my knowledge, 

Under Identities, If you check:

 

If transparent user identification fails: Support Guest privileges 

 

AND you don't have any other Identities afterward that may authenticate a didfferent way.  Then a user that does not authenticate will not be able to access any web sites. 

 

Tim


Please rate answers that help. :) 

 

0 Helpful

kushsriva
Level 1
Level 1

‎10-30-2014 04:16 AM

Hi,

 

By default MAC does not support NTLM due to which SSO does not work like Windows.

You can go ahead and exempt the MAC PC's from user authentication if you do not want users to be prompted for authentication.

To exempt authentication for mac users:

Create a new identity and match the user agent string to "Mac"

(from the GUI -> web security manager -> identity -> advanced -> user-agent
-> add "Mac" -> submit).

 

-- Do Rate if Helpful.

Regards,

Kush

0 Helpful
Customers Also Viewed These Support Documents