I have an WSA S170 (Async 9), ISE (v2.0), Active Directory, WCCP router, no CDA server

With HTTP traffic, I believe it is doable for transparent authentication (WSA > ISE)

However for HTTPS traffic, whereby the WSA should have a browser prompt for user login after enabling HTTPS Proxy, does the WSA also contact the ISE to authenticate users? Or does it need to have integration with AD by itself, directly?

I am trying to avoid the case of WSA contacting AD as it uses SMBv1

Thanks in advance