Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
864
Views
0
Helpful
3
Replies

CWS Group and Policy Match

heldercoelho
Level 1
Level 1

‎07-04-2016 08:54 AM - last edited on ‎03-25-2019 04:49 PM by Community Manager

I'm using Cisco ASA with connector and AD authentication.

When i go to http://whoami.scansafe.net/ I can see username and group membership.

I create directory group in the following format: WinNT://[domain-name]\[directory-name] for Active Directory. And I try to create a Custom Group to match the same group.

Problem is: when I create a rule with created group, the policy don't match rule with group created.

Witch http://policytrace.scansafe.net i see matching default rule.

Any suggestion? Any documentation?

Labels:
0 Helpful
3 Replies 3

Ashok Sakthivel
Cisco Employee
Cisco Employee

‎07-04-2016 09:17 AM

For ASA+AD+CDA integration for CWS redirection with user granularity. You will have to create custom group as ( domainname\groupname ).

Steps to configure custom group :

Admin -> Management -> Groups -> Enter the group name  " domainname\groupname" & Select "Group Type" as "Custom Group"  and Submit.

Example:

demo\IT

demo\HR

demo\Internetusers

WinNT://[domain-name]\[directory-name] for Active Directory - This format used for Software connector.

LDAP://[group-name] for LDAP - This format used ISR CWS connector.

Thanks and Regards,

Ashok Sakthivel.

Preview file
7 KB
0 Helpful

heldercoelho
Level 1
Level 1
In response to Ashok Sakthivel

‎07-04-2016 09:40 AM

Don't work.

Trace and config bellow:

http://policytrace.scansafe.net result:

Identified user 'SOCAVEIRO\gonksys' from IP address 172.16.X.X as part of company XXX
User belongs to groups [SOCAVEIRO\ProxyComAcessoTotal]
User belongs to static groups [SOCAVEIRO\ProxyComAcessoTotal]
Site categorized as 'Adult'

Evaluating 4 rules after reading request headers
Evaluating rule 'ComAcessoNormal'
Rule 'ComAcessoNormal' doesn't match
Evaluating rule 'ComAcessoLimitado'
Rule 'ComAcessoLimitado' doesn't match
Evaluating rule 'ComAcessoTotal'
Rule 'ComAcessoTotal' doesn't match
Evaluating rule 'ProxyComAcessoTot'
Rule 'ProxyComAcessoTot' doesn't match

Rule 'ProxyComAcessoTot' selected group Custom Group 'SOCAVEIRO\ProxyComAcessoTotal' configured as attach.

What is missing?

Thanks for your fast response.

Preview file
194 KB
0 Helpful

heldercoelho
Level 1
Level 1

‎07-06-2016 07:05 AM

I correct my problem.

I only create Custom Group with format domainname\groupname as Ashok Sakthivel suggests, without any user inside that group.

My mistake was to expect that rule match only at group membership.

To match one rule have to match group membership AND the filter.

Thanks for your help.

Kind regards,

Helder Coelho

0 Helpful
Customers Also Viewed These Support Documents