Re: Local Users in Secure Access

dianawinskymartin · ‎09-25-2024

Has anyone here experienced configuring local users in Secure Access, where you only input the users' email addresses without using an identity provider or Active Directory (especially manual upload that exported from active directory)? In other vendors, this feature is available and it's always use in doing POC.

For example, in a VPN connection use case, the users are required to download a VPN client like AnyConnect. Similar to Meraki VPN, it is configured simply by inputting the users' email addresses, and it works without additional configuration. Does Secure Access offer a similar capability?

howe · ‎09-26-2024

You can import users from a CSV file:

https://docs.sse.cisco.com/sse-user-guide/docs/import-users-from-csv-file

However, this will only allow the user object to be used in policies etc. It is not in itself an identity provider and cannot authenticate VPN users. You options for authenticating VPN users are(Note user must also exist in the dashboard through the CSV file import, or via the AD connector etc.):

1) SAML

2) Certificate based auth - a user cert can be used to authenticate the connection as long as the user is specified in the cert and this matches the user previous imported)

3) Radius

In my experience for testing, it is best to connect your AD/Entra to Secure Access to imort a subset of users, or use a csv file for very limited and static deployments, and use an IDP like OKTA that allows you to simply enter users in their dashboard and provide SAML auth on these users. Of course for an actual POC you should use whatever mechanisms are already in place.