cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2307
Views
0
Helpful
4
Replies

ScanSafe not picking up username

cooperwaldon
Level 1
Level 1

Hello,

We have been using Scansafe/CWS using a config file that is deployed using group policy.  For a long time this was working well, however over the past several months people stopped being prompted for credentials (it is set to timeout after 2 weeks) and now it seems that scansafe is not picking up the username and as a result is not properly filtering traffic. 

When I go to whoami.scansafe.net it shows the username as our external natted IP (I've modified it below).

authUserName: 99.99.99.12
authenticated: true
companyName: 99 Company
countryCode: CA
externalIp: 99.99.99.12
groupNames: []
internalIp: 99.99.99.12
logicalTowerNumber: 2422
staticGroupNames: 
  - default
userName: 99.99.99.12

I have verified on the Admin>Management LDAP Realm page that scansafe does have access to our LDAP servers and can authenticate, and it can search for and find users with their appropriate groups.

Successfully connected via London 1 (xx.xx.xx.xx)
Successfully connected via London 2 (xx.xx.xx.xx)
Successfully connected via London 3 (xx.xx.xx.xx)
Successfully connected via London 4 (xx.xx.xx.xx)
Successfully connected via Toronto 1 (xx.xx.xx.xx)
Successfully connected via Vancouver 1 (xx.xx.xx.xx)
Successfully connected via Washington 1 (xx.xx.xx.xx)
Successfully connected via Washington 2 (xx.xx.xx.xx)
Bind successful
Server Type: Active Directory V6.1 (Windows 2008 R2)

We are thinking of implementing the transparent proxy configuration using an ISR but until we get this first issue resolved there's not really any point since we can't monitor/filter traffic since all users show up as the same "user" which is the IP.

Has anyone run into this issue before or have a suggestion as to a possible solution?  It's odd because our configuration hasn't changed, it just seems to have stopped working properly.

Thanks,

Cooper

1 Accepted Solution

Accepted Solutions

Brett Murrell
Cisco Employee
Cisco Employee

Hi,

It looks as if you've omitted your real company name in your whoami output so I'm unable to check everything is set-up correctly on your account.

The first thing I would check is the authentication rule in your account to make sure it is set correctly. Check the filter associated with the auth rule is set to 'hit' on browser user-agents (best practice).

Otherwise, if this doesn't resolve your issue, please ensure to log a TAC case and we can assist you further.

Regards,

Brett

View solution in original post

4 Replies 4

Brett Murrell
Cisco Employee
Cisco Employee

Hi,

It looks as if you've omitted your real company name in your whoami output so I'm unable to check everything is set-up correctly on your account.

The first thing I would check is the authentication rule in your account to make sure it is set correctly. Check the filter associated with the auth rule is set to 'hit' on browser user-agents (best practice).

Otherwise, if this doesn't resolve your issue, please ensure to log a TAC case and we can assist you further.

Regards,

Brett

Hello Cooper,

I have seen that you have created a test authentication rule in your account after my note above, but you are trying to match the rule with a group labelled 'Test'. This group contains a list of users which will never match because you haven't been through the auth process in the first place for the portal to know to apply said auth rule.

Considering your traffic comes to us with no way to delineate one user from another, I'm afraid you won't be able to test the auth rule other than to put in egress ip's (your traffic appears to come from multiple egress IP's - I can see at least 10 for the last 24 hours of traffic with a WiRe report of 'view first 100 'external ip' sorted by 'hits'). Otherwise just set the rule to "anyone".

I hope this helps, but it may be easier to log a TAC case to talk through this with an engineer.

Regards,
Brett

Hi Brett,

It appears as though somehow the filter was only set to authenticate very specific user agents.  We added other user agents and it caused authentication prompts.

I'm not sure if this was disabled manually or if there was a change in default behaviour.

Thank you,

Cooper

Ashok Sakthivel
Cisco Employee
Cisco Employee

 Your ldap server looks absolutly fine. I could see you have two authentication policy 1st & 3rd rule.  

-Disable the first one , which you have created it for testing.

-In the 3rd rule , you have a group set as excempt for one IP. Remove that excempt group and keep it as default which will be applicable for all users. 

Try the above changes and let me know whether authentication triggers for the user.

Regards,

Ashok Sakthivel.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: