WSA authentication by hostname and not user name.

Stuart1545 · ‎06-20-2024

I am having a problem after updating our WSA.

Randomly when users browse the WSA Proxy will use the Device name (hostname) to authenticate instead of User name.

we are connected through AD with single sign on and proxy error is

As you can see it is using hostname and this only started to happen after updating before only used username.
Device: WSA S300V

Old version:14.05.01

New Version :15.2.0-164

Any Ideas

Stuart1545 · ‎06-24-2024

To add to this I have found that this is using the Windows service account to try and reach Microsoft websites such as NCSI service.

Now as we have a block all, allow selected Policy Does anyone know how to allow service accounts through.

If you also know why this has happened after the update to 15.2.0-164 that would also be great.

MohammedSaifudeen0373 · ‎08-21-2024

Did you find any solution for this?

Stuart1545 · ‎08-29-2024

Hi @MohammedSaifudeen0373

Unfortunately we have not been able to remover the issue completely and still working on finding a solution.

currently we have added two policies that are in the documentation.
one is a no auth for windows agents and one for the URL's although it did not removed the issue it did reduce the amount of incorrect authentications.

I currently have a new TAC case open to resolve this issue or at least get it marked as a bug to be worked on in the next update.

here is what has been done to reduce the amount but this is not a solution.

User Guide for AsyncOS 15.2 for Cisco Secure Web Appliance- GD (General Deployment) - Authentication and Authorization [Cisco Secure Web Appliance] - Cisco
https://www.cisco.com/c/en/us/td/docs/security/wsa/wsa-15-2/user-guide/swa-userguide-15-2/m-authentication-and-authorization.html#task_1448358

amojarra · ‎08-21-2024

Hello @MohammedSaifudeen0373

the default cache time for the Machine credentials would be 10 seconds, meaning that , after 10 seconds, WSA will again Authenticate users which will be with the user name this time

you can check that from CLI > advancedproxyconfig > AUTHENTICATION

hit enter until you see:

Enter the surrogate timeout for machine credentials.
[10]>

if it is higher, you can change it to 10, and after that please commit the changes

Regards,

Amirhossein Mojarrad

+++++++++++++++++++++++++++++++++++++++++++++++++++

++++ If you find this answer helpful, please rate it as such ++++

+++++++++++++++++++++++++++++++++++++++++++++++++++

Regards,
Amirhossein Mojarrad
+++++++++++++++++++++++++++++++++++++++++++++++++++
++++ If you find this answer helpful, please rate it as such ++++
+++++++++++++++++++++++++++++++++++++++++++++++++++

MohammedSaifudeen0373 · ‎08-22-2024

Hi @amojarra

When I checked, the surrogate timeout for machine credentials was already set to 10 seconds. I tried changing it to 5 and other values, then committed and tested, but no luck.

amojarra · ‎08-22-2024

Thanks for the feedback @MohammedSaifudeen0373

may I ask please share the accesslogs ( remove / edit the sensitive data from it please).
can you please try to open an HTTP and HTTPS URL and lets see what is happening in the accesslogs.

thank you

Regards,

Amirhossein Mojarrad

+++++++++++++++++++++++++++++++++++++++++++++++++++

++++ If you find this answer helpful, please rate it as such ++++

+++++++++++++++++++++++++++++++++++++++++++++++++++

Regards,
Amirhossein Mojarrad
+++++++++++++++++++++++++++++++++++++++++++++++++++
++++ If you find this answer helpful, please rate it as such ++++
+++++++++++++++++++++++++++++++++++++++++++++++++++