The issue is that many apps aren't built to do authentication in their use of the http protocol. They hve no mechanism to grab the current logged in user and pass that in response to the challenge. You will find that Outlook will have similar issues.

If you are using IP surrogates, A quick fix is to tell your users to hit any internet page with IE first. They will get authed and stuff will work.

The permanent fix is to deploy a CDA or AD Agent. They scrape the AD logs for log ins and tie user id to ip and can pass that info to WSA,ASA, and ISE.

Sent from Cisco Technical Support Android App

Thanks for the above recommendations.

If i understand correctly: Installing the Context Directory Agent is the only way around this.

We also have the ISE in our environment; which is doing the 802.1x on the switchport side.

Currently our setup is in the way:

1. When user plugs their laptop to switch: it has to authenticate to the ISE-->AD to gain access to the LAN
2. Once authenticated: User will need to launch the browser and authenticate to the WSA-->AL to gain access to internet
3. which overall, we are seeing a 2 times authentication

If we were to install the CDA:

Does that mean that in order to bring the ISE+WSA together as a single sign on. Both the ISE and WSA needs to integrate with the CDA.

Appreciate any advise

I had it backwards... ISE can feed ID info of users that aren't AD users to the CDA... Then the CDA will feed the WSA with user info...

Taken from the CDA patch 2 release notes: (  http://www.cisco.com/c/en/us/td/docs/security/ibf/cda_10/release_notes/cda10_rn.html#wp185334 )

Starting with patch 2, CDA can now receive information from Cisco Identity Services Engine (ISE) and Cisco Secure Access Control Server (ACS) in order to map users that do not directly login into Active Directory. CDA acts as a syslog server, receiving syslog messages from ISE and ACS, and populates the mapping table using network login information derived from ISE and ACS.

CDA supports ISE 1.1.x and 1.2 and ACS 5.3, and 5.4 only.

Client devices, such as the Cisco Adaptive Security Appliance (ASA) and the Cisco IronPort Web Security Appliance (WSA), interact with the Cisco CDA using the RADIUS protocol in order to obtain the latest set of IP-to-user-identity mappings, in any one of the following ways:

•On-Demand—The Cisco CDA can respond to an on-demand query from the client device for a specific mapping.

•Full Download—The Cisco CDA can respond to a request from the client device for the entire set of mappings currently in its cache.

The AD Agent interacts with the following components in a network:

•Client Devices

•Active Directory Domain Controller Machines

•Syslog Servers/Clients

Integration with ISE/ACS allows consumer devices such as ASA-CX and WSA to make security decisions for a large portion of network endpoints, including those that are not domain members. CDA passes the information to the consumer devices in the same format whether the user/domain information was received from a Windows domain controller event log or through integration with ISE/ACS.