Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1245
Views
0
Helpful
2
Replies

WSA ISE-PIC auth fails for users whose groups are not pulled in ISE-PIC server

Go to solution
skizhakk
Cisco Employee
Cisco Employee

‎09-26-2018 07:37 AM - edited ‎03-11-2019 01:49 AM

Hi,
It will be great if you could accurately and quickly identify if this observed behavior on WSA is accurate......

 

SNIP>>>>

Use case is to create three access policies :
1) Access policy based on ISE Groups
2) Access policy based on SGTs
3) Access policy based on Users
So created three identities in three subnets with "Transparent Identification using ISE" and mapped respectively. In ISE-PIC server I have pulled my interested groups(Say 500). Then around 4000 users are logged in through AD.

In WSA:
1) I am able to see all authenticated users in isedata cache.
2) Those 500 groups under isedata > groups(used in Access Policy 1)
         WSA is able to pull it successfully.

 

Now if I send traffic from all those 4k users, only those users with any of the 500 groups are authenticated using ISE authentication and rest of the users failed ISE authentication, even though we have an entry in isedata > cache.

 

That means I can authenticate users using ISE only if that users groups are pulled in ISE-PIC. If any users group are not pulled in ISE-PIC, those users' authentication can be executed only through NTLM/KERBEROS/BASIC. Even though the users are logged in through AD successfully.

<<<<SNIP

 

Could you please evaluate the behavior?

 

Thx, Srinivas

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Timothy Abbott
Cisco Employee
Cisco Employee

‎09-27-2018 08:28 AM

Srinivas,

This sounds like an issue with WSA. It sounds like ISE-PIC is presenting the authenticated users it knows about via pxGrid properly but for some reason WSA is not authenticating users that do not belong to one of the 500 groups you mentioned. Also, ISE-PIC does not support SGTs. You would need ISE for that to work.

Regards,
Tim

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Timothy Abbott
Cisco Employee
Cisco Employee

‎09-27-2018 08:28 AM

Srinivas,

This sounds like an issue with WSA. It sounds like ISE-PIC is presenting the authenticated users it knows about via pxGrid properly but for some reason WSA is not authenticating users that do not belong to one of the 500 groups you mentioned. Also, ISE-PIC does not support SGTs. You would need ISE for that to work.

Regards,
Tim
0 Helpful

Go to solution
skizhakk
Cisco Employee
Cisco Employee
In response to Timothy Abbott

‎09-27-2018 08:41 AM

Hi Tim,

 

Thanks for suggestions!

I'd agree with that observation. It needs a work on WSA to authenticate such users who are successfully authenticated on AD, on WSA as well.

We will get the team to look at it.

 

Regarding SGTs, yes, I am aware that PIC does not support SGTs. The scenario was more on the AD Groups (interested).

 

Thanks, Srinivas

0 Helpful
Customers Also Viewed These Support Documents