https://community.cisco.com/t5/web-security/user-authentication-in-wsa/m-p/3558791#M7941 <HTML><HEAD></HEAD><BODY><P>So does it mean that we need CDA when WSA is deployed in transparent mode and transparent user authentication is required?</P><P></P><P>I believe HTTP request contains username and domain name. WSA can verify username with AD and allow as per policy. So why we still need CDA in this case?</P></BODY></HTML> Thu, 03 Aug 2017 08:58:30 GMT dngore 2017-08-03T08:58:30Z https://community.cisco.com/t5/web-security/user-authentication-in-wsa/m-p/3558787#M7937 <HTML><HEAD></HEAD><BODY><P>Hi All,</P><P>I am new to WSA and wants to understand user authentication concept/flow. We want to authenticate users transparently and apply web policy as per AD group. We will integrate WSA with AD using NTLPSSP. </P><P>WSA needs user name for applying policy. I understand that Client web bowser sends user name in web request. Hence WSA can obtain that user name and can verify with AD for validity. This should be straight forward.</P><P></P><P>But as per User guide for AsyncOS 11.0, Cisco Context Directory Agent (CDA) is required for transparent user identification. </P><P></P><P>I am not sure why we require CDA, if WSA is able to get username from client web browser http get request and can verify with AD?</P><P></P><P>My understanding may be wrong.</P><P></P><P>Kindly help me to understand CDA's requirement </P></BODY></HTML> Sat, 09 Mar 2019 03:40:58 GMT https://community.cisco.com/t5/web-security/user-authentication-in-wsa/m-p/3558787#M7937 dngore 2019-03-09T03:40:58Z https://community.cisco.com/t5/web-security/user-authentication-in-wsa/m-p/3558788#M7938 <HTML><HEAD></HEAD><BODY><P>I assume that you have deployed WSA in Explicit Forward proxy mode and integrated with Microsoft AD.&nbsp; If end user system is part of domain, user authentication will happen transparently. I don't think CDA is required. I have deployed WSA without CDA and transparent authentication works fine.</P><P></P><P>Note: Make sure that all test results are successful when you run a test query while doing Authentication integration with AD. If any one fails, you will have challenge at the user side related to authentication</P></BODY></HTML> Sat, 29 Jul 2017 17:32:34 GMT https://community.cisco.com/t5/web-security/user-authentication-in-wsa/m-p/3558788#M7938 Narasimhan VS 2017-07-29T17:32:34Z https://community.cisco.com/t5/web-security/user-authentication-in-wsa/m-p/3558789#M7939 <HTML><HEAD></HEAD><BODY><P>Thanks for reply.</P><P></P><P>WSA will be in transparent mode. Will that affect CDA requirement?</P><P></P><P>In which situation, CDA will be required?</P></BODY></HTML> Sun, 30 Jul 2017 15:35:39 GMT https://community.cisco.com/t5/web-security/user-authentication-in-wsa/m-p/3558789#M7939 dngore 2017-07-30T15:35:39Z https://community.cisco.com/t5/web-security/user-authentication-in-wsa/m-p/3558790#M7940 <HTML><HEAD></HEAD><BODY><P>Cisco CDA agent maps IP Addresses to usernames in order to allow WSA to understand which user is using which IP Address in the network.&nbsp; This can be used when WSA is deployed in transparent mode..</P></BODY></HTML> Mon, 31 Jul 2017 04:49:35 GMT https://community.cisco.com/t5/web-security/user-authentication-in-wsa/m-p/3558790#M7940 Narasimhan VS 2017-07-31T04:49:35Z https://community.cisco.com/t5/web-security/user-authentication-in-wsa/m-p/3558791#M7941 <HTML><HEAD></HEAD><BODY><P>So does it mean that we need CDA when WSA is deployed in transparent mode and transparent user authentication is required?</P><P></P><P>I believe HTTP request contains username and domain name. WSA can verify username with AD and allow as per policy. So why we still need CDA in this case?</P></BODY></HTML> Thu, 03 Aug 2017 08:58:30 GMT https://community.cisco.com/t5/web-security/user-authentication-in-wsa/m-p/3558791#M7941 dngore 2017-08-03T08:58:30Z