Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
New Member

Ironport S170 - LDAP Group Authentication issue

Hi all,

I configured Ironport S170 Appliance (AsyncOS 7.5.0-833) to join our Domain via LDAPv3 .

Domain is successfully joined, below is the output of testauthconfig command :

Checking DNS resolution of WSA hostname(s)...
Success: Resolved 'ironport02.domain.com' address: 192.168.X.X

Checking DNS resolution of LDAP Server(s)...
Success: Resolved 'forestdc01.domain.com' address: 10.200.X.X

Success: Resolved 'forestdc02.domain.com'address: 10.200..X.X

Checking connectivity of LDAP Server(s)...
Success: Server 'forestdc01.domain.com'responding to queries on port 3268.
Success: Server 'forestdc02.domain.com' responding to queries on port 3268.

Checking the type of LDAP Server(s)...
Success: Able to query server information from 'forestdc01.domain.com'
Success: Able to query server information from 'forestdc02.domain.com'

Checking if Referrals are enabled...
Success: Referral option is disabled.

Attempting to fetch user information...
Success: Able to query for User Information from server 'forestdc01.domain.com'.Number of users fetched: 1000.
Success: Able to query for User Information from server 'forestdc02.domain.com'.Number of users fetched: 1000.

Attempting to fetch group information...
Success: Able to query for Group Information from server 'forestdc01.domain.com'.
Success: Able to query for Group Information from server 'forestdc02.domain.com'.

 

So i configured an access policy (Named VIP_AD) based on a directory group that allows access to youtube.com website, then i created a test user in my domain who is part of that group. The group is named "Proxy_VIP" .

I tested the access rule using Policy Trace and below is the result :

---------------------------------------------------------------------------------------------------------------------------

User Information
User Name: user.test
Group Membership: Proxy_VIP
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
URL Check
WBRS Score: 0.0
URL Category: Streaming Video
Scanner "AVC" Verdict (Request): Unknown (Unknown)
MIME-Type: text/html; charset=utf-8
Object Size: 0 bytes
Scanner "AVC" Verdict (Response): Unknown (Unknown)
Policy Match
Cisco IronPort Data Security policy: None
Decryption policy: None
Routing policy: Global Routing Policy
Identity policy: UtentiAD
Access policy: VIP_AD
Final Result
Request completed
Details: Transaction permitted
Trace session complete

 

------------------------------------------------------------------------------------------------------------------

As you can see policy trace matches correctly both Group Membership and Access Policy matching.

Unfortunately this don 't happens browsing the internet with the same user and the transaction is blocked :

172.16.X.X "DOMAIN\user.test@DOMAIN.COM" - [15/May/2014:16:49:07 +0200] "GET http://www.youtube.com/" 403 1 TCP_DENIED:NONE 4 BLOCK_WEBCAT_11-Default_AD-UtentiAD-DefaultGroup-NONE-NONE-NONE <IW_vid,-,1,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,IW_vid,-,"-","-","YouTube","Media","-","-",0.00,0,-,"-","-"> - -
 

As you can see above Access Policy is not matched correctly.

Any ideas?

 

Thankyou in advance.

King Regards

 

Everyone's tags (4)
1 REPLY
New Member

Policy trace is broken and

<DELETED>

671
Views
0
Helpful
1
Replies
CreatePlease login to create content