Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
915
Views
0
Helpful
5
Replies

Ironport don´t send request to Active Directory

yerko alexander munoz diaz
Level 1
Level 1

‎08-21-2013 01:13 PM

Hi,

     

We need to configure an exception to allow the network 10.0.53.0/24 not require validation in Ironport WSA. however users of this network must pass through all content filters appropriate according to their AD group.

NOTE: I need that Ironport don´t send request to Active Directory, when users to network 10.0.53.0/24 need go to internet.

regards,

Yerko.

Labels:
0 Helpful
5 Replies 5

Erik Kaiser
Cisco Employee
Cisco Employee

‎08-21-2013 02:04 PM

Hi Yerko,

You have to use authentication in order for users to be applied to an access policy based on an AD group. If you want the users to be passed through the WSA unauthenticated you can do so by creating a no authentication identity based on IP class or subnet. But you will not be able to use AD groups as the WSA does not maintain a listing of users and groups as that would require AD to be installed and licensed on the WSA.

Sincerely,

Erik Kaiser
WSA CSE
WSA Cisco Forums Moderator

Sincerely, Erik Kaiser WSA CSE WSA Cisco Forums Moderator
0 Helpful

yerko alexander munoz diaz
Level 1
Level 1
In response to Erik Kaiser

‎08-21-2013 02:48 PM

Actually this appliance are licensed with following features keys:

it´s necesary other feature ?

If you have news, let me know please.

regards,

Yerko

0 Helpful

Vance Kwan
Cisco Employee
Cisco Employee
In response to yerko alexander munoz diaz

‎08-21-2013 10:58 PM

Greetings Yerko,

No other features are required for the authentication piece.

In order for the WSA to determine what AD Groups a user/IP belongs to, it will need to do authentication.  Therefore, you will not be able to bypass authentication based on AD group.  I hope this helps.

-Vance

0 Helpful

yerko alexander munoz diaz
Level 1
Level 1
In response to Vance Kwan

‎08-22-2013 12:49 PM

Then it's no possible that idea : "We need to configure an exception to allow the network 10.0.53.0/24 not require validation in Ironport WSA. however users of this network must pass through all content filters appropriate according to their AD group."

IS NO POSSIBLE ??????????

0 Helpful

Vance Kwan
Cisco Employee
Cisco Employee
In response to yerko alexander munoz diaz

‎08-22-2013 10:17 PM

That is correct.  This is not possible.

Correct me if I am wrong.  It sounds like you do not want Authentication, but still would like to control them using the AD group.

You might want to look into using the Context Directory Agent.  With a Context Directory Agent, the agent will scan the Active Directory security logs for logon events.  It will build a User-to-IP mapping table.  When the users in the 10.0.53.0/24 network access the internet, they will not need to authenticate.  The WSA will query the Context Directory Agent and see who is on the IP address.  If there is a user, then AD groups can be used.  If there is no user, then the user will be a Guest.

The Context Directory Agent runs on CentOS.  It will need to be hosted on a dedicated machine, or a virtual machine.  The required disk space is 120gb.

-Vance

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents