Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
475
Views
5
Helpful
1
Replies

CSCvi25041 - Incorrect group matching when using transparent user authentication

keithsauer507
Level 5
Level 5

‎04-04-2018 10:31 AM - edited ‎03-20-2019 10:02 PM

Anyone run into this bug?


Any workarounds?

 

Symptom:
HTTP/HTTPS requests matching incorrect access/decryption policies

Conditions:
1. TUI/CDA authentication configured in identities
2. AD groups configured in access policies or decryption policies

 

Known Affected Releases:
(2)
10.1.2-050
10.5.2-042
2 people had this problem
Labels:
0 Helpful
1 Reply 1

keithsauer507
Level 5
Level 5

‎04-05-2018 06:38 AM

The only workaround was to log into the CLI and issue the revert command.  With TAC's assistance massaging the backed up config, we were able to import it, and then use the certconfig CLI command to change the managment web interface off of the Demo Certificate.  Then join the domain again, kick the proxy and all should be good.

 

Cisco needs to PULL 10.5.2-042.  It breaks the most fundamental feature of a webfilter.  If you cannot correctly identify users, how are you supposed to assign them a proper access policy in order to decide where they can or can't go?  This is the cornerstone to any good webfilter and I can't believe this release has been out since 2/15/2018 and still continues to be made available when it breaks the entire operation.  Thats like saying you are buying a car without a steering wheel.

Customers Also Viewed These Support Documents