Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
863
Views
0
Helpful
4
Replies

Ignoring Users using Cisco AD Agent

Danny Cooke
Level 1
Level 1

‎05-14-2013 08:49 AM - edited ‎03-10-2019 08:25 PM

Hi All

Its been a while since I configured a Cisco firewall (PIX 6.0, SDM) - I've now been thrown in the deep end with a pair of 5525-X's (Latest Software) and I need to achieve the below

Websense integration (Got this working)
AAA Authentication for various outbound traffic routes.

I'm using ASDM as I'm more comfortable with the GUI than CLI (I'm the other way round with switches!!!), I have AD Agent configured but the ASA isn't doing anything based on User Name but I have a few other things to try. What I'm trying to achieve now is ignoring certain user names from being matched to IP Addresses as I believe that this may have something to do with it.

We use Sophos AV and each PC requires a Service Account to run Sophos under. Each update that Sophos attempts is seen as a login and that is the user attached to the IP Address of the machine. Within Websense, it can be told to ignore certain users for purposes of filtering and reporting etc.. but I dont seem to be able to do this with the AD Agent.

Thanks
Danny

*EDIT - Sorry, I should add that I'm not seeing any users listen within Monitoring->Properties->Device Access->Authenticated Users....Websense filtering is currently working. I have an AAA Rule configured to Authenticate via Active Directory

*EDIT 2... Should I have configured the AAA rule as authorisation rather than Authentication?


Message was edited by: Danny Cooke

Labels:
0 Helpful
4 Replies 4

Danny Cooke
Level 1
Level 1

‎05-14-2013 11:01 PM

Bump

Sent from Cisco Technical Support iPad App

0 Helpful

Danny Cooke
Level 1
Level 1

‎05-15-2013 06:05 AM

Ok, so I realised that there was the Context Directory Agent which is picking up User Name to IP Address mappings better than the DC Agent.

I also realised that to do Authorization, I'd need a TACACS+ Server (which I don't have). I guess another question is, can I transparently allow users access to internet services without the use of TACACS now that I have CDA running?

As far as the OP goes, can I now ignore the "SophosAdmin" Service Account so the address isnt (incorrectly) mapped to an IP address?

Thanks

0 Helpful

Danny Cooke
Level 1
Level 1
In response to Danny Cooke

‎05-15-2013 11:27 AM

Found out how to ignore/filter specific user names, just searching for a way of transparently authorising users rather then presenting a login page/dialog .HTTP(S) is transparently passed to Websense, granted using Websense rather than the ASA, but it would be useful doing transparent auth. so I can filter based on AD user/group without the need for TACACS

Sent from Cisco Technical Support iPad App

0 Helpful

Peter Noble
Level 1
Level 1

‎02-20-2014 12:00 PM

In the current version of Cisco CDA Agent:

Go to Mappings -> Filters

add your Sophos Service Account to the filter list and it will be ignored.

0 Helpful
Customers Also Viewed These Support Documents