topic Re: How to exclude mobile devices from authentication in Web Security

How to exclude mobile devices from authentication

vince.steiner — Mon, 01 Apr 2013 19:21:40 GMT

So i have a default identity policy that takes the identity of a user from an AD agent, i have also set up NTLM transparent authentication in case AD agent can not identify the user.

it works well on our windows domain attached PCs but there is a problem with mobile devices (ipads, iphones, droids, etc) every time they want to use the browser, app, people are being asked to put their credentials.

is there a way of excluding all of these mobile devices from this NTLM authentication? this is on ASA CX, i have an option to add a identity policy above this one, but how can i add mobile devices as a source?

Thanks

Re: How to exclude mobile devices from authentication

alessandro.s — Mon, 01 Apr 2013 21:37:03 GMT

Hi gregory,
If i'm not missing something there's no way to discriminate mobile users to exempt it from authentication. I think you need to create a Specific vlan for mobile users then create an identity specifying the new subnet and exempt it from authentication.

Hope this helps

Regards

Sent from Cisco Technical Support iPhone App

Re: How to exclude mobile devices from authentication

Ken Stieers — Mon, 01 Apr 2013 21:42:04 GMT

Your other option, if the ASA CX allows it, is to create an identity for the User-Agent strings that the mobile devices use and not require authentication for those strings... Its doable on the WSA, but I don't know about the CX...

Re: How to exclude mobile devices from authentication

vince.steiner — Tue, 02 Apr 2013 14:36:18 GMT

I tried that, and i can create user/device agent based object, but somehow i can not use it a s a source, i can only use network, IP range as a source.

Re: How to exclude mobile devices from authentication

alessandro.s — Tue, 02 Apr 2013 15:20:45 GMT

If you was able to create user/device agent that identify mobile users so you can crate an identity based on user agents.

When you add an identity, in the lower left-side corner click on "advanced" then click on "None Selected" line next to "User Agents" . Then you can add your Custom User Agents strings in the list.

Regards

Re: How to exclude mobile devices from authentication

vince.steiner — Thu, 04 Apr 2013 13:18:05 GMT

I can create a source object group based by User agent object , but then the problem is that in the actual policy i can only add network sources as a sources, not this source object based on user agent identity i created.

i can add screenshots if needed, i this WSA may be more advanced that ASA CX

Re: How to exclude mobile devices from authentication

alessandro.s — Thu, 04 Apr 2013 14:50:42 GMT

Hi Gregory,

please add screenshot so i can better understand the problem.

Thanks.

Regards