tema Yes. en Web Security

Transparent user ID vs Authenticated user

tahequivoice — Tue, 24 Mar 2015 18:48:39 GMT

Reviewing a setup, and noticed in the later version of code, 8.0 for example, there are two methods for access. Since FF and Safari have issues authenticating access when browsing, and IE does not, would the transparent user ID work the same way for authenticated users, and how would that work with AD?

When you have transparent

Handy Putra — Sun, 29 Mar 2015 01:18:14 GMT

When you have transparent user ID enable and using AD agent(Context Directory Agent - CDA), this mechanism that maps IP Addresses to usernames in order to allow security gateways to understand which user is using which IP Address in the network, so those security gateways can now make decisions based on those users (or the groups to which the users belong to).

CDA monitors in real time a collection of Active Directory domain controller (DC) machines for authentication-related events that generally indicate user logins; learns, analyzes, and caches mappings of IP Addresses and user identities in its database; and makes the latest mappings available to its consumer devices.

Scenario example:

User machine logs in to the domain and CDA agent will catch the user credentials information and map with the IP address of the client and store it in local cache then pass the info to the WSA.

If the AD server down for example, the CDA will still be able to relay information regarding the users from its local cache to WSA.

For more information regarding Transparent user identification or CDA, please see below link for overview:

http://www.cisco.com/c/en/us/td/docs/security/ibf/cda_10/Install_Config_guide/cda10/cda_oveviw.html

Hello, mates, I have a S170

mauricioharley — Fri, 03 Jul 2015 08:58:34 GMT

Hello, mates,

I have a S170 WSA with AsyncOS version 8.5.1-021. I also have CDA deployed and configured. Authentication tests say everything is good, including connection with CDA. HTTPS decryption is activated as well.

However, my users are still getting authentication prompts everyday and many times inside the same day. It happens randomly and is browser-independent. I changed authentication timeouts from default values of 3600 seconds to 86400 (one day) but it did not solve the issue (please check attached image).

Could you please help me find the final solution to this?

I appreciate,

Mauricio Harley

If CDA is down will the WSA

David Niemann — Mon, 20 Jul 2015 16:39:00 GMT

If CDA is down will the WSA use the pass thru authentication from the user's browser as a failback authentication mechanism?

Yes.

Ken Stieers — Mon, 20 Jul 2015 20:22:26 GMT

Yes.

If CDA doesn't have the

David Niemann — Wed, 12 Aug 2015 18:48:54 GMT

If CDA doesn't have the authentication information will the WSA try to get the creds from the browser?

You actually configure it to

David Niemann — Wed, 12 Aug 2015 19:53:49 GMT

You actually configure it to use the CDA agent under Identities. In one of your Identities, you select Identify Users Transparently under Identification and Authentication. This also assumes you have the CDA enabled under Network -> Authentication -> Authentication Realm ->Active Directory Agent. You have to check the box for Enable Transparent User Identification using Active Directory Agent. You need to have the Server defined under Primary Active Directory agent along with the shared secret you created on the CDA system.

Yes.

Ken Stieers — Wed, 12 Aug 2015 19:58:49 GMT

Yes.