cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
879
Views
0
Helpful
2
Replies
Tim Lewis
Beginner

Transparent User Authentication not working after upgrade to 8.0.6

After upgrading to 8.0.6 we had lot of users having issues with accessing the Internet.

Initially, we thought that it may be WCCP, so we configured manually to use proxy and people didn't had issues after that, so we thought it is WCCP.

 

After taking better look, we realized that actually only HTTPS traffic is having issues, and it is affecting users only if they didn't used HTTP traffic before that, so we unconfigured authentication realm, configured new one (now supporting Kerberos, NTLM and Basic), configured it to support Transparent Authentication, IP address of CDA and pre-shared key and verified that it can communicate with everything OK and all tests ended up being successfull.

No help. Identity is configured to use AD realm, Transparent Authentication, and to support "Guest Services", so if IP address/Username mapping can't be found, it should still allow unauthenticated user to access.

 

Now, it doesn't work. When we tailed access-log, we saw being denied by WSA. Also, when we issued authcache command, I saw about 20 usernames, but only 2-3 IP addresses total (like 17 entries had only usernames, 3 of them had username and IP address below).

 

Also, we tried with configuring HTTPS to decrypt authentication, users are prompted to accept self signed certificate and after that it works. Without it, you'll first need to use HTTP in order to get HTTPS working. Both those should be in use if I am using actual authentication (Kerberos, NTLM or Basic), but I don't want to do so, there is not one identity that's using those, and the one I use doesn't have option "Force Authentication" checked, it has "support guest service"...

 

Needless to say, all this worked fine with 7.7.5 version...

2 REPLIES 2
Felipe Guimaraes
Beginner

Hello

Might be a issue with the browser NTLM authentication.  For example, some versions of Firefox do not perform the NTLM authentication prior configuring it to do so.

 

Which browsers are you testing the authentication?

Brgds

kussriva
Beginner

Hi,

 

Please make sure "Enable decryption for authentication" under HTTPS Proxy Settings --> Decryption Options is enabled.

 


Kush Srivastava
Cisco PDI TA
http://www.cisco.com/web/partners/tools/pdita.html

Content for Community-Ad