07-04-2016 08:54 AM - last edited on 03-25-2019 04:49 PM by ciscomoderator
I'm using Cisco ASA with connector and AD authentication.
When i go to http://whoami.scansafe.net/ I can see username and group membership.
I create directory group in the following format: WinNT://[domain-name]\[directory-name] for Active Directory. And I try to create a Custom Group to match the same group.
Problem is: when I create a rule with created group, the policy don't match rule with group created.
Witch http://policytrace.scansafe.net i see matching default rule.
Any suggestion? Any documentation?
07-04-2016 09:17 AM
For ASA+AD+CDA integration for CWS redirection with user granularity. You will have to create custom group as ( domainname\groupname ).
Steps to configure custom group :
Admin -> Management -> Groups -> Enter the group name " domainname\groupname" & Select "Group Type" as "Custom Group" and Submit.
Example:
demo\IT
demo\HR
demo\Internetusers
WinNT://[domain-name]\[directory-name] for Active Directory - This format used for Software connector.
LDAP://[group-name] for LDAP - This format used ISR CWS connector.
Thanks and Regards,
Ashok Sakthivel.
07-04-2016 09:40 AM
Don't work.
Trace and config bellow:
http://policytrace.scansafe.net result:
Identified user 'SOCAVEIRO\gonksys' from IP address 172.16.X.X as part of company XXX
User belongs to groups [SOCAVEIRO\ProxyComAcessoTotal]
User belongs to static groups [SOCAVEIRO\ProxyComAcessoTotal]
Site categorized as 'Adult'
Evaluating 4 rules after reading request headers
Evaluating rule 'ComAcessoNormal'
Rule 'ComAcessoNormal' doesn't match
Evaluating rule 'ComAcessoLimitado'
Rule 'ComAcessoLimitado' doesn't match
Evaluating rule 'ComAcessoTotal'
Rule 'ComAcessoTotal' doesn't match
Evaluating rule 'ProxyComAcessoTot'
Rule 'ProxyComAcessoTot' doesn't match
Rule 'ProxyComAcessoTot' selected group Custom Group 'SOCAVEIRO\ProxyComAcessoTotal' configured as attach.
What is missing?
Thanks for your fast response.
07-06-2016 07:05 AM
I correct my problem.
I only create Custom Group with format domainname\groupname as Ashok Sakthivel suggests, without any user inside that group.
My mistake was to expect that rule match only at group membership.
To match one rule have to match group membership AND the filter.
Thanks for your help.
Kind regards,
Helder Coelho
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide