Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1214
Views
0
Helpful
2
Replies

Transparent User Authentication not working after upgrade to 8.0.6

Tim Lewis
Level 1
Level 1

‎12-01-2014 10:03 PM

After upgrading to 8.0.6 we had lot of users having issues with accessing the Internet.

Initially, we thought that it may be WCCP, so we configured manually to use proxy and people didn't had issues after that, so we thought it is WCCP.

 

After taking better look, we realized that actually only HTTPS traffic is having issues, and it is affecting users only if they didn't used HTTP traffic before that, so we unconfigured authentication realm, configured new one (now supporting Kerberos, NTLM and Basic), configured it to support Transparent Authentication, IP address of CDA and pre-shared key and verified that it can communicate with everything OK and all tests ended up being successfull.

No help. Identity is configured to use AD realm, Transparent Authentication, and to support "Guest Services", so if IP address/Username mapping can't be found, it should still allow unauthenticated user to access.

 

Now, it doesn't work. When we tailed access-log, we saw being denied by WSA. Also, when we issued authcache command, I saw about 20 usernames, but only 2-3 IP addresses total (like 17 entries had only usernames, 3 of them had username and IP address below).

 

Also, we tried with configuring HTTPS to decrypt authentication, users are prompted to accept self signed certificate and after that it works. Without it, you'll first need to use HTTP in order to get HTTPS working. Both those should be in use if I am using actual authentication (Kerberos, NTLM or Basic), but I don't want to do so, there is not one identity that's using those, and the one I use doesn't have option "Force Authentication" checked, it has "support guest service"...

 

Needless to say, all this worked fine with 7.7.5 version...

Labels:
0 Helpful
2 Replies 2

Felipe Guimaraes
Level 1
Level 1

‎05-23-2015 01:14 PM

Hello

Might be a issue with the browser NTLM authentication.  For example, some versions of Firefox do not perform the NTLM authentication prior configuring it to do so.

 

Which browsers are you testing the authentication?

Brgds

0 Helpful

kussriva
Level 1
Level 1

‎05-28-2015 05:43 AM

Hi,

 

Please make sure "Enable decryption for authentication" under HTTPS Proxy Settings --> Decryption Options is enabled.

 


Kush Srivastava
Cisco PDI TA
http://www.cisco.com/web/partners/tools/pdita.html

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents