Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
701
Views
0
Helpful
5
Replies

how to Integration SGT on CISCO ISE with Policy on Cisco WSA

Lemineral
Spotlight
Spotlight

‎10-04-2023 02:39 AM

Dear Expert

i have cisco ISE SNS-3515-K9 and cisco WSA S395, 

i do integration with Cisco ISE and Cisco WSA with pxgrid and working properly for communication, 

but i have one issue, when user successful authentication to cisco ISE, ISE will give SGT for user, and wsa will read user have sgt to give policy for url access, but its just like one SGT to all policy on wsa, ISE will not send another SGT from user.

example.

user ARNOLD login on ise and get SGT "IT" and when he want to access some url, on cisco wsa will give him access to url allow for policy IT.

but on Active directory he also have group "ADMIN",  and on cisco wsa we have policy for "ADMIN" can access youtube. 

but when arnold want to access youtube, access will block, because WSA just identified ARNOLD have SGT "IT" based on communication with cisco ISE.

please your advice how to make arnold can access youtube

 

 

Labels:
0 Helpful
5 Replies 5

Lemineral
Spotlight
Spotlight

‎10-12-2023 02:41 AM

Hello expert

hope some body can help me please

0 Helpful

lohan
Cisco Employee
Cisco Employee
In response to Lemineral

‎10-18-2023 09:26 PM

Hi  Lemineral,

To allow user Arnold to access YouTube based on his AD group "ADMIN" while using Cisco ISE and Cisco WSA integration with pxGrid, you will need to make some configurations. Here are the steps you can follow:

  1. In Cisco ISE, make sure that the AD group "ADMIN" is mapped correctly to the appropriate SGT. You can do this by checking the SGT assignment rules in ISE.

  2. In Cisco WSA, create a new Access Policy for YouTube access. This policy should allow users with SGT "IT" and "ADMIN" to access YouTube.

  3. In the WSA Access Policy, edit the rule for YouTube access and modify the "Source SGT" condition. Add both "IT" and "ADMIN" SGTs to the condition. This will allow users with either SGT to access YouTube.

  4. Save the changes to the WSA Access Policy.

By following these steps, user Arnold, who has the SGT "IT" from Cisco ISE and the "ADMIN" group in Active Directory, will be able to access YouTube without being blocked by the WSA. The modified Access Policy in the WSA will include both SGTs in the rule for YouTube access, ensuring that users with either SGT are allowed to access the site.

Hope this can help.

-----------------------------------------
If you find my reply solved your question or issue, kindly click the 'Accept as Solution' button and vote it as helpful.

You can also learn more about Secure Network Analytics (formerly known as Stealthwatch) through our live Ask the Experts (ATXs) session. Check out Cisco Network Security ATXs Resources [https://community.cisco.com/t5/security-knowledge-base/cisco-network-security-ask-the-experts-resources/ta-p/4416493] to view the latest schedule for upcoming sessions, as well as the useful references, e.g. online guides, FAQs.
-----------------------------------------

Best Regards,
Henry

0 Helpful

Lemineral
Spotlight
Spotlight
In response to lohan

‎10-19-2023 01:14 AM

Thank you for your suggestion, I really understand what you said, so I need to add IT and admin in one access policy in wsa related to youtube access, but what if the SGT IT and admin policies are different, I mean how to separate if the user only has SGT IT and "IT" is not allowed to access youtube because youtube is only for "ADMIN", please advise on this matter.

0 Helpful

lohan
Cisco Employee
Cisco Employee
In response to Lemineral

‎10-19-2023 07:47 PM

Hi  Lemineral

Here's the advice:

  1. Log in to the Cisco WSA management interface.

  2. Navigate to the Access Policies section.

  3. Create a new policy specifically for users with the "IT" SGT.

    • Give the policy a descriptive name, such as "IT Access Policy."
    • Configure the necessary conditions to identify users with the "IT" SGT.
    • Set the action to deny or block access to YouTube.

  4. Create another policy specifically for users with the "ADMIN" group.

    • Give the policy a descriptive name, such as "Admin Access Policy."
    • Configure the necessary conditions to identify users with the "ADMIN" group.
    • Set the action to allow access to YouTube.

By creating separate policies, you can differentiate the access control for users based on their SGT and group membership. The "IT Access Policy" will deny access to YouTube for users with the "IT" SGT, while the "Admin Access Policy" will allow access for users with the "ADMIN" group.

Ensure that the policies are applied in the correct order to prioritize the more specific policy. For example, if the "IT Access Policy" is applied first, followed by the "Admin Access Policy," users with both the "IT" SGT and the "ADMIN" group will be denied access to YouTube.

Remember to test the configuration thoroughly to verify the intended access control behavior.

Additionally, in ISE, when the user got a SGT thorough authorization, 
He can just only get one SGT tag, he cannot belong to IT and ADMIN at the same time.

Hope this can help.

-----------------------------------------
If you find my reply solved your question or issue, kindly click the 'Accept as Solution' button and vote it as helpful.

You can also learn more about Secure Network Analytics (formerly known as Stealthwatch) through our live Ask the Experts (ATXs) session. Check out Cisco Network Security ATXs Resources [https://community.cisco.com/t5/security-knowledge-base/cisco-network-security-ask-the-experts-resources/ta-p/4416493] to view the latest schedule for upcoming sessions, as well as the useful references, e.g. online guides, FAQs.
-----------------------------------------

Best Regards,
Henry

0 Helpful

Lemineral
Spotlight
Spotlight

‎10-19-2023 11:16 PM

Hello Hendri

Thanks for the guidance, I understand well now.
But currently I am using WSA authentication through AD and it is very dynamic in this case but the problem is that my AD for now is read only and WSA cannot read the authentication from the AD.

Finally, is there any suggestion from you how can WSA read the AD user group other than using AD read/write or ISE?

0 Helpful
Customers Also Viewed These Support Documents