Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2263
Views
10
Helpful
9
Replies

WSA blocking smartphones before authentication

Go to solution
andre.ortega
Spotlight
Spotlight

‎08-29-2018 08:06 AM

Hello there,
we are deploying WSA and it's working, but when someone access the wifi using an smartphone, and try to access the internet, the access is blocked.

The user connects to the WiFi, then the smartphone detects that doesnt have internet access (because the user arent authenticated on WSA yet) and open its pseudo browser (kind of a popup), warning the user that he should authenticate.
But when the user clicks on that warning WSA send the block page "access not authenticated", instead of ask for authentication.

How we could correct this behavior?

Thanks.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Sakun Sharma
Level 1
Level 1

‎09-03-2018 11:52 PM

I believe is not all the application and OS level service supports authentication and would need direct Internet access or transparent redirection with no authentication. Or there is an app called Microsoft Authenticator, maybe try that, that might help.

View solution in original post

Go to solution
Handy Putra
Cisco Employee
Cisco Employee
In response to Sakun Sharma

‎09-04-2018 07:51 PM

I would agree with Sakun here, since displaying the pop up to enter authentication is depends on the application capabilities. Not all application have the capabilities to do this (internet browser such as chrome, firefox, safari, IE can definitely do this).

When you check in the WSA accesslogs, you should find logs that would have TCP_DENIED/407 or TCP_DENIED/401 for that traffic, which indicating WSA is requesting for authentication to move forward and when WSA does not get response on that request, it will display the block page advising authentication required.

View solution in original post

9 Replies 9

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎08-29-2018 12:22 PM

how is this user authenticated  from smart phone ?

 

WSA configured of single sign on capabilities ?

 

Look at the access log, it will give you some idea, why this is failing.

 

go to command level

grep 

option 1

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
andre.ortega
Spotlight
Spotlight
In response to balaji.bandi

‎08-29-2018 01:01 PM

If user opens a browser, like Chrome, it (the browser) shows a popup then user can authenticate.

The problem is when the smartphone shows automaticaly that "pseudo browser", you know? It is an warning on the top of the phone's screen. In this case, if the user clicks, it shows wsa's block page.

That is the problem. It should shows the popup so user can log in, or at least, it should say "open a browser".


Single sign on doesn't apply to users that are not logged in domain...
There was nothing on access log that could help.

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to andre.ortega

‎08-29-2018 09:52 PM

Coming back to basic information to understand the setup.

it would be nice to explain your setup to understand better.

 

how is WSA allow user to access internet, what basis ? any user can use your WSA and browse internet, how are you redirecting traffic to WSA, WCCP or proxy config ?

 

If no log shown means it by passing proxy, what kind of rules setup for these kind of devices.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
andre.ortega
Spotlight
Spotlight
In response to balaji.bandi

‎08-30-2018 05:24 AM

We are redirecting all traffic (http and https) through PBR.

All users from AD are allowed. There is logs, but it just says "blocked non authenticated access".

 

I don't know if I made myself clear... but it works if user open a browser on the smartphone and try to access some webpage. In this case the browser shows a popup and then user can log in.
The problem is when the user try to log in using that "fake browser", built in the SO.

 

Thanks for your help balaji.

0 Helpful

Go to solution
andre.ortega
Spotlight
Spotlight
In response to balaji.bandi

‎08-30-2018 09:15 AM - edited ‎08-31-2018 01:53 PM

(view in My Videos)

 

See the behavior.

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to andre.ortega

‎08-30-2018 11:59 AM

As per the video since it is not English not able to understand.

 

what is the IP  : 10.91.16.117

is that your proxy URL : http://proxy.insper.local ?

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
andre.ortega
Spotlight
Spotlight
In response to balaji.bandi

‎08-31-2018 01:54 PM - edited ‎08-31-2018 01:56 PM

I changed the video, if you can, please edit your post to represent the right content.

Basicaly the IP 10.123.45.102 (new video) is the client IP.

wsa.lab.added.com.br is the WSA hostname.

0 Helpful

Go to solution
Sakun Sharma
Level 1
Level 1

‎09-03-2018 11:52 PM

I believe is not all the application and OS level service supports authentication and would need direct Internet access or transparent redirection with no authentication. Or there is an app called Microsoft Authenticator, maybe try that, that might help.

Go to solution
Handy Putra
Cisco Employee
Cisco Employee
In response to Sakun Sharma

‎09-04-2018 07:51 PM

I would agree with Sakun here, since displaying the pop up to enter authentication is depends on the application capabilities. Not all application have the capabilities to do this (internet browser such as chrome, firefox, safari, IE can definitely do this).

When you check in the WSA accesslogs, you should find logs that would have TCP_DENIED/407 or TCP_DENIED/401 for that traffic, which indicating WSA is requesting for authentication to move forward and when WSA does not get response on that request, it will display the block page advising authentication required.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents