cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
970
Views
0
Helpful
6
Replies

Access Policy Based on AD Computer Objects

Tim Jackson
Beginner
Beginner

Is it possible to create either an Identity or Access Policy scoped to a group of AD computer objects? We currently restrict a group of workstations by adding their IPs to an identity. This is cumbersome, as the IPs need to be reserved ahead of time and explicitly added to the WSA identity. It would be much easier if we could associate it to an AD group where we could delegate some permission to modifying that group as access needs to be restricted. Thoughts?


Thanks,
Tim

6 Replies 6

asvarghe
Cisco Employee
Cisco Employee

Dear Tim,

 

Please find my inputs below - 

1. Active directory can be integrated with WSA. Steps to integrate are given in the user guide - 

https://www.cisco.com/c/en/us/td/docs/security/wsa/wsa11-0/user_guide/b_WSA_UserGuide/b_WSA_UserGuide_chapter_01001.html

 

2. Once the AD is integrated, WSA can pull group information from WSA, these groups can be leveraged in the access policies to apply restrictions.

 

Screen Shot 2019-07-25 at 9.10.23 AM.png

 

3. Click on the group hyperlink and WSA will display the group information.

 

Regards,
Ashish Varghese
*** Rate All Helpful Responses ***

shgrover
Cisco Employee
Cisco Employee

Hello Tim,

 

you can put all these computers in a group on AD and call the group or individual usernames in the access/decryption policies, whenever these systems try to go out the network on 80/443 the wsa will be able to match the policies you set for them.

 

Regards

Shikha Grover

PS: Please don't forget to rate and select as validated answer if this answered your question

 

I have tried that in the past and it doesn't seem to work. To be clear, I'm talking about adding Computer objects to the group, not user objects. The WSA only seems to be able to look at the logged in user. The computer name never shows up anywhere in the logs. Are you sure the WSA has this capability? User identification has always worked as expected via Kerberos.