Issues with ZIA + Verizon's SON Feature + MS Auth

We’re running into a weird issue and are seeking assistance to find a solution. We have users who are running into issues accessing SSO resources that are Microsoft SSO and externally hosted, they also are using this newer model white Verizon router that uses a Self Organized Network feature. SON steers the laptop into whatever best supported combination of radio 2.4/5, channel, and 802.11x protocol works best for it at a given moment based on what it supports and other utilizations, distances from AP, etc. Our findings are as follows:

Verizon + MS Auth + Zscaler = doesn’t work
Verizon + MS Auth + ZCC/ZIA turned off = Works
Verizon + Zscaler + Any other website = Works
Verizon (NO SON feature) + Zscaler + MS Auth = Works
Zscaler + MS Auth + OTHER ISPs = Works

We’ve reinstalled ZCC, we’ve replaced laptops, we’ve piloted ZDX and the only events seem to be the Wi-Fi is changing radios. Any help or advise would be greatly appreciated. We have a workaround of enabling a user’s guest SSID on their Verizon Router (Guest network is 2.4 ghz and doesn’t use SON) and that works, but we don’t want to have to advise a ton of people in our organization to be messing with their home routers. If anybody else has seen anything like this and found a solution please let me know!

Preston, It sounds like the SON feature probably uses NAT and I would guess each SSID uses a different address (Speculation). If Auth is split between different IP’s you are going to see funny behavior like this. I would grab a network trace from the browser developer tools and look for the URL’s that are being split up. I am assuming you have the auth urls bypassed, my guess is that you have one that is not and it is the one causing you issues.


-Todd Harcourt-