Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

scansafe with AD on ISR G2


We are using scansafe and would like to authenticate users with Active Directory when connecting to internet. user is redirected to the URL "webproxy/login" and cannot open the page.

There is no active session when I check in the router (with the command "show content-scan session active").

Plese, find below the step I followed for the configuration with Active Directory. Is there any other configuration I should do or modify.

- On the router

                parameter-map type content-scan global

                 server scansafe primary name port http 8080 https 8080

                 server scansafe secondary name port http 8080 https 8080

                 source interface GigabitEthernet0/0

                 user-group ciscogroup username ciscouser

                 server scansafe on-failure allow-all

                aaa new-model

                aaa group server ldap scansafe-ldap-group

                 server scansafe-ldap-server

                aaa authentication login ss-aaa group scansafe-ldap-group

                aaa authorization network ss-aaa group scansafe-ldap-group

                aaa accounting network ss-aaa none

                aaa session-id common

                ip admission virtual-ip virtual-host webproxy

                ip admission name ssauth ntlm

                ip admission name ssauth order   ntlm

                ip admission name ssauth method-list authentication ss-aaa authorization ss-aaa accounting ss-aaa

                ldap attribute-map ldap-username-map

                 map type sAMAccountName username

                ldap server scansafe-ldap-server

                 ipv4 <IP_AD>

                 attribute map ldap-username-map

                 bind authenticate root-dn cn=test_scan,cn=users,dc=our_domain,dc=local password <Psw>

                 base-dn cn=users,dc=our_domain,dc=local

                 search-filter user-object-type top

                 authentication bind-first

                interface GigabitEthernet0/0

                description WAN

                content-scan out

                interface GigabitEthernet0/1

                description LAN

                ip admission ssauth

I tried to use transport port 3268, then 389 but the result is the same.

- on AD

Creat the user test_scan under users and another user for test I tried to use only one user, without group, at the first time.

- On scansafe webpage

1). Admin -> Management -> Groups.

2). Add Directory Groups (WinNT://our_domain.local\users).

3). Web Filtering ->Management-> Policy and use the default filter/allow for the Directory group

I also tried to creat a realm under Admin->Authentication->Management->Add LDAP Realm / select the group to use (CN=Users,DC=nexthope,DC=local) I did the following checks successfully

- connection

- authentication

- check LDAP

Best regards

CreatePlease login to create content