09-26-2018 07:37 AM - edited 03-11-2019 01:49 AM
Hi,
It will be great if you could accurately and quickly identify if this observed behavior on WSA is accurate......
SNIP>>>>
Use case is to create three access policies :
1) Access policy based on ISE Groups
2) Access policy based on SGTs
3) Access policy based on Users
So created three identities in three subnets with "Transparent Identification using ISE" and mapped respectively. In ISE-PIC server I have pulled my interested groups(Say 500). Then around 4000 users are logged in through AD.
In WSA:
1) I am able to see all authenticated users in isedata cache.
2) Those 500 groups under isedata > groups(used in Access Policy 1)
WSA is able to pull it successfully.
Now if I send traffic from all those 4k users, only those users with any of the 500 groups are authenticated using ISE authentication and rest of the users failed ISE authentication, even though we have an entry in isedata > cache.
That means I can authenticate users using ISE only if that users groups are pulled in ISE-PIC. If any users group are not pulled in ISE-PIC, those users' authentication can be executed only through NTLM/KERBEROS/BASIC. Even though the users are logged in through AD successfully.
<<<<SNIP
Could you please evaluate the behavior?
Thx, Srinivas
Solved! Go to Solution.
09-27-2018 08:28 AM
09-27-2018 08:28 AM
09-27-2018 08:41 AM
Hi Tim,
Thanks for suggestions!
I'd agree with that observation. It needs a work on WSA to authenticate such users who are successfully authenticated on AD, on WSA as well.
We will get the team to look at it.
Regarding SGTs, yes, I am aware that PIC does not support SGTs. The scenario was more on the AD Groups (interested).
Thanks, Srinivas
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide