12-01-2014 10:03 PM
After upgrading to 8.0.6 we had lot of users having issues with accessing the Internet.
Initially, we thought that it may be WCCP, so we configured manually to use proxy and people didn't had issues after that, so we thought it is WCCP.
After taking better look, we realized that actually only HTTPS traffic is having issues, and it is affecting users only if they didn't used HTTP traffic before that, so we unconfigured authentication realm, configured new one (now supporting Kerberos, NTLM and Basic), configured it to support Transparent Authentication, IP address of CDA and pre-shared key and verified that it can communicate with everything OK and all tests ended up being successfull.
No help. Identity is configured to use AD realm, Transparent Authentication, and to support "Guest Services", so if IP address/Username mapping can't be found, it should still allow unauthenticated user to access.
Now, it doesn't work. When we tailed access-log, we saw being denied by WSA. Also, when we issued authcache command, I saw about 20 usernames, but only 2-3 IP addresses total (like 17 entries had only usernames, 3 of them had username and IP address below).
Also, we tried with configuring HTTPS to decrypt authentication, users are prompted to accept self signed certificate and after that it works. Without it, you'll first need to use HTTP in order to get HTTPS working. Both those should be in use if I am using actual authentication (Kerberos, NTLM or Basic), but I don't want to do so, there is not one identity that's using those, and the one I use doesn't have option "Force Authentication" checked, it has "support guest service"...
Needless to say, all this worked fine with 7.7.5 version...
05-23-2015 01:14 PM
Hello
Might be a issue with the browser NTLM authentication. For example, some versions of Firefox do not perform the NTLM authentication prior configuring it to do so.
Which browsers are you testing the authentication?
Brgds
05-28-2015 05:43 AM
Hi,
Please make sure "Enable decryption for authentication" under HTTPS Proxy Settings --> Decryption Options is enabled.
Kush Srivastava
Cisco PDI TA
http://www.cisco.com/web/partners/tools/pdita.html
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide