Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

How to block users based not on thier ip-address

Hello experts,


I had been using normal ACLs for blocking web-browsing (https/http) access for my company users.     but recently, we started using DHCP providing auto ip-addrs for users. this means i am no more able to block/allow spicific users web-access based ip thier ip-addrs because they have automatic ip assigned


Can anyone advise me what other option except ACLs i can use to block users web-access ?   


2- Second question:  How can i block Tor-Browser on my network.  I tried using NBAR2, tried using  (class-map match protocol attribute sub-category client-server )  options..... but none of them given any plus result to me.   any advise plz



  • Web Security
Hall of Fame Super Silver

If you're using a router, it

If you're using a router, it knows about IP addresses, not user identities.

If you're using an ASA firewall, you can use the identity firewall features.

Otherwise you'd have to do a web proxy that has hooks to authenticate the end users, either actively or passively. You could also do this with a Cloud Web Security (former ScanSafe product) connector in your router.

I've not tried to do anything with blocking TOR so I don't know about that one.

your both questions can

your both questions can easely do palo-alto firewall

it can see users in windows ad and block

and it can see protocol tor and block 

latest asa software also can see users in ad and pc ip addresses 

but I am not shure about tor protocol

Cisco Employee

Here are different ways you

Here are different ways you can block TOR traffic :

* Requiring NTLM auth in explicit proxy mode stops it cold - this is
just a missing feature in TOR.
* If you disable auth, or use Basic auth, then requiring that SSL
destinations have server certs signed by known CA's will stop it.  (This
works regardless of the decryption reputation, as the WSA always appears
to check this in explicit mode when configured.)
* If you disable the above two methods, the "filter avoidance" URL
category is only effective against the initial "find directory servers"
boot-up.  If we miss one, or the client has this info cached from
before, the URL category is not effective.
* Another method that would be effective would be to block all browsing
by IP address; however, this has a pretty good chance of false

Notice that the above will only work if all egress ports which are not proxied are blocked. TOR will attempt to go outbound on higher ports; if the customer is not blocking these (eg on the Firewall), it becomes nearly impossible to effectively block TOR.

This widget could not be displayed.