Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5132
Views
0
Helpful
1
Replies

Apple iOS via Ironport WSA

Not applicable

‎11-20-2012 07:08 AM

I'm hoping for some help with trying to authenticate Apple iOS devices via an Ironport S650.

I'm authenticating devices to the corporate network successfully with NPS, however I'm frequently encountering authentication failures.

In the authlogs I am seeing a number of messages such as:

Tue Nov 20 14:08:14 2012 Info: PROX_AUTH : - : Login for user []\[ipad@domain.com]@[DN6FXBA4DFJ1] failed due to [No such user]
Tue Nov 20 14:27:40 2012 Info: PROX_AUTH : - : NTLM CRAP authentication for user [DOMAIN]\[ipad] returned NT_STATUS_INVALID_WORKSTATION (PAM: 7)
Tue Nov 20 14:27:40 2012 Info: PROX_AUTH : - : Login for user [DOMAIN]\[ipad]@[DN6FXBA4DFJ1] failed due to [Invalid workstation}


I have configured the iPad to use the proxy server on port 80 and entered a valid username (iPad) and password. On launching Safari, I am repeatedly prompted for a username and password still.

Having done a little more reading, I gather that this is just the first of many issues I may encounter. As such, I'm keen to know if anybody has successfully deployed iPads connecting to the web via an Ironport appliance and if so what you would recommend.

Thanks,

Neil

1 person had this problem
Labels:
0 Helpful
1 Reply 1

Erik Kaiser
Cisco Employee
Cisco Employee

‎12-21-2012 12:53 PM

Hi Neil,

How to process Apple QuickTime (MAC/OSX) requests via Cisco Ironport Web Security
Appliance (WSA) if NTLM authentication is required?

Environment:

  • Cisco Ironport Web Security Appliance (WSA)
  • NTLM authentication using the schemes "NTLMSSP" or "Basic or NTLMSSP"
  • Mac OS X 10.5 (Leopard) / Mac OS X 10.6 (Snow Leopard)
  • Apple QuickTime (verified 7.6.5 / 7.6.6)

Symptoms:

The Mac OS X version of QuickTime fails to pass the NTLM authentication challenge and to fetch streaming
content via WSA if either the NTLM scheme "NTLMSSP" or "Basic or NTLMSSP"
has been selected. Executing QuickTime in embedded (browser) or standalone mode makes no difference.

Solution:

QuickTime for Mac OS X does not support the NTLM authentication schemes "NTLMSSP" and "Basic or NTLMSSP".
QuickTime will establish connections once one of the following workarounds has been applied:

(A) Disable authentication (Not recommended)
(B) Change the global authentication scheme to NTLM "Basic (only)".
(C) Create an authentication exception for the OSX QuickTime player using the
      custom user agent "QuickTime" or "QuickTime/VERSION" (QuickTime/7.6.6 for example).

Sincerely, Erik Kaiser WSA CSE WSA Cisco Forums Moderator
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents