topic Re: WSA, ISE, with HTTPS in Web Security

WSA, ISE, with HTTPS

irissen — Tue, 05 Jul 2022 04:18:29 GMT

I have an WSA S170 (Async 9), ISE (v2.0), Active Directory, WCCP router, no CDA server

With HTTP traffic, I believe it is doable for transparent authentication (WSA > ISE)

However for HTTPS traffic, whereby the WSA should have a browser prompt for user login after enabling HTTPS Proxy, does the WSA also contact the ISE to authenticate users? Or does it need to have integration with AD by itself, directly?

I am trying to avoid the case of WSA contacting AD as it uses SMBv1

Thanks in advance

Re: WSA, ISE, with HTTPS

balaji.bandi — Tue, 05 Jul 2022 06:39:05 GMT

WSA S170

This is the end of life last year, I do not believe anything broken cisco can support

(Async 9),

stable release and TAC support were 13. X or 14. is the latest, so you need to look at some features that may be not work as expected.

WSA can use ISE for user authentication - but there is some minimum requirements to be in place :

for reference check the below guide :

https://www.cisco.com/c/en/us/products/collateral/security/web-security-appliance/guide-c07-741637.html

Re: WSA, ISE, with HTTPS

Rob Ingram — Tue, 05 Jul 2022 06:45:03 GMT

@irissen if WSA and ISE are integrated using pxGrid, then the WSA has the user information (user/ip binding) to authenticate the users without prompting.

Re: WSA, ISE, with HTTPS

irissen — Tue, 05 Jul 2022 07:06:32 GMT

thanks, does this mean WSA can run solely off the integration with ISE, without the need to create any realms for AD?

Re: WSA, ISE, with HTTPS

irissen — Tue, 05 Jul 2022 07:13:53 GMT

thanks, sorry the versions are quite old and out of support.

when you say some features may not work as expected, is there an experience or issue that was known?

also concerned that with the old versions, is it feasible at all?

Re: WSA, ISE, with HTTPS

Rob Ingram — Tue, 05 Jul 2022 09:09:24 GMT

@irissen as per the guide below, WSA obtains ISE (user/IP mappings) and AD group information for authenticated users from ISE using ERS.

https://www.cisco.com/c/en/us/products/collateral/security/web-security-appliance/guide-c07-741637.pdf

Re: WSA, ISE, with HTTPS

balaji.bandi — Tue, 05 Jul 2022 09:30:07 GMT

its been Long time worked on WSA aysnc 9.

Please check the configuration guide : (its possible for radius authentication)

https://www.cisco.com/c/dam/en/us/td/docs/security/wsa/wsa9-0/WSA_9-0-0_UserGuide.pdf

Re: WSA, ISE, with HTTPS

amojarra — Tue, 05 Jul 2022 09:42:58 GMT

Hi @irissen

I am referring form userguide 14.0 but that could be the same

Kindly notice that

User Guide for AsyncOS 14.0 for Cisco Web Security Appliances - GD (General Deployment)

page 88

under section : Identifying Users Transparently

[1] When you configure an Identification Profile to transparently identify users, the authentication surrogate must be IP address. You cannot select a different surrogate type.

[2] From identification profile on the policies which are sets to authenticate users please select “Transparently identify users with authentication realms”

this is the latest version of ISE and WSA compatibility Matrix, maybe it help you to decide clearly regarding the upgrade plan

ISE Compatibility Matrix for Secure Web Appliance - Cisco

+++++++++++++++++++++++++++++++++++++++++++++++++++

++++ If you find this answer helpful, please rate it as such ++++

+++++++++++++++++++++++++++++++++++++++++++++++++++

Re: WSA, ISE, with HTTPS

irissen — Fri, 08 Jul 2022 01:28:24 GMT

okay thanks

Re: WSA, ISE, with HTTPS

irissen — Fri, 08 Jul 2022 01:30:59 GMT

thanks Rob

if directly reading from the diagram, WSA should purely rely on ISE for identifying user-IP mappings.

I guess the next question would be.. does the ISE also use SMBv1 to connect with AD?

Re: WSA, ISE, with HTTPS

irissen — Fri, 08 Jul 2022 01:32:50 GMT

hi amojarra,

i think my version does not have this option.. for authentication realms are given as Kerberos and LDAP only. ISE is a separate section by itself. Asked my question specifically for Async 9.0, as I am in a situation with no possible means to upgrade 😞

Re: WSA, ISE, with HTTPS

amojarra — Fri, 08 Jul 2022 23:13:44 GMT

Hi @irissen

Thanks for the reply

It is so sad that you can not upgrade at this moment, hope things gets well soon 🙂

According to the user guide : User Guide for AsyncOS 9.0 for Cisco Web Security Appliances - LD (Limited Deployment)

page 132 E-Book, there is an option : Fallback to Authentication Realm or Guest Privileges

If you have another Realm with AD and this option is configured to use that realm, then WSA will try connect to AD if Auth failed with ISE.

For ISE V2.0, what I can see in Active Directory Integration with Cisco ISE 2.x - Cisco under section "Network Ports That Must Be Open for Communication" ISE is using MSRPC instead of SMB.

from release note : Cisco Identity Services Engine Administrator Guide, Release 2.0 page 225 E-book :

Cisco ISE 1.3 and above support SMB 2.0.

+++++++++++++++++++++++++++++++++++++++++++++++++++

++++ If you find this answer helpful, please rate it as such ++++

+++++++++++++++++++++++++++++++++++++++++++++++++++