Ironport don´t send request to Active Directory

Unanswered Question
Aug 21st, 2013
User Badges:

Hi,

     

We need to configure an exception to allow the network 10.0.53.0/24 not require validation in Ironport WSA. however users of this network must pass through all content filters appropriate according to their AD group.


NOTE: I need that Ironport don´t send request to Active Directory, when users to network 10.0.53.0/24 need go to internet.


regards,


Yerko.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Erik Kaiser Wed, 08/21/2013 - 14:04
User Badges:
  • Cisco Employee,

Hi Yerko,


You have to use authentication in order for users to be applied to an access policy based on an AD group. If you want the users to be passed through the WSA unauthenticated you can do so by creating a no authentication identity based on IP class or subnet. But you will not be able to use AD groups as the WSA does not maintain a listing of users and groups as that would require AD to be installed and licensed on the WSA.



Sincerely,

Erik Kaiser
WSA CSE
WSA Cisco Forums Moderator

yerko alexander... Wed, 08/21/2013 - 14:48
User Badges:

Actually this appliance are licensed with following features keys:


it´s necesary other feature ?


If you have news, let me know please.


regards,


Yerko

Vance Kwan Wed, 08/21/2013 - 22:58
User Badges:
  • Cisco Employee,

Greetings Yerko,


No other features are required for the authentication piece.


In order for the WSA to determine what AD Groups a user/IP belongs to, it will need to do authentication.  Therefore, you will not be able to bypass authentication based on AD group.  I hope this helps.


-Vance

yerko alexander... Thu, 08/22/2013 - 12:49
User Badges:

Then it's no possible that idea : "We need to configure an exception to allow the network 10.0.53.0/24 not require validation in Ironport WSA. however users of this network must pass through all content filters appropriate according to their AD group."



IS NO POSSIBLE ??????????

Vance Kwan Thu, 08/22/2013 - 22:17
User Badges:
  • Cisco Employee,

That is correct.  This is not possible.


Correct me if I am wrong.  It sounds like you do not want Authentication, but still would like to control them using the AD group.


You might want to look into using the Context Directory Agent.  With a Context Directory Agent, the agent will scan the Active Directory security logs for logon events.  It will build a User-to-IP mapping table.  When the users in the 10.0.53.0/24 network access the internet, they will not need to authenticate.  The WSA will query the Context Directory Agent and see who is on the IP address.  If there is a user, then AD groups can be used.  If there is no user, then the user will be a Guest.


The Context Directory Agent runs on CentOS.  It will need to be hosted on a dedicated machine, or a virtual machine.  The required disk space is 120gb.


-Vance

Actions

This Discussion