cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
452
Views
0
Helpful
6
Replies
Highlighted
Beginner

Access Policy Based on AD Computer Objects

Is it possible to create either an Identity or Access Policy scoped to a group of AD computer objects? We currently restrict a group of workstations by adding their IPs to an identity. This is cumbersome, as the IPs need to be reserved ahead of time and explicitly added to the WSA identity. It would be much easier if we could associate it to an AD group where we could delegate some permission to modifying that group as access needs to be restricted. Thoughts?


Thanks,
Tim

6 REPLIES 6
Highlighted
Cisco Employee

Re: Access Policy Based on AD Computer Objects

Dear Tim,

 

Please find my inputs below - 

1. Active directory can be integrated with WSA. Steps to integrate are given in the user guide - 

https://www.cisco.com/c/en/us/td/docs/security/wsa/wsa11-0/user_guide/b_WSA_UserGuide/b_WSA_UserGuide_chapter_01001.html

 

2. Once the AD is integrated, WSA can pull group information from WSA, these groups can be leveraged in the access policies to apply restrictions.

 

Screen Shot 2019-07-25 at 9.10.23 AM.png

 

3. Click on the group hyperlink and WSA will display the group information.

 

Regards,
Ashish Varghese
*** Rate All Helpful Responses ***

Highlighted
Cisco Employee

Re: Access Policy Based on AD Computer Objects

Hello Tim,

 

you can put all these computers in a group on AD and call the group or individual usernames in the access/decryption policies, whenever these systems try to go out the network on 80/443 the wsa will be able to match the policies you set for them.

 

Regards

Shikha Grover

PS: Please don't forget to rate and select as validated answer if this answered your question

 

Highlighted
Beginner

Re: Access Policy Based on AD Computer Objects

I have tried that in the past and it doesn't seem to work. To be clear, I'm talking about adding Computer objects to the group, not user objects. The WSA only seems to be able to look at the logged in user. The computer name never shows up anywhere in the logs. Are you sure the WSA has this capability? User identification has always worked as expected via Kerberos.

Highlighted
Engager

Re: Access Policy Based on AD Computer Objects

IRC when a user logs in that takes over as owner of the ip.
Highlighted
Beginner

Re: Access Policy Based on AD Computer Objects

Thanks Ken,

 

Confirms what I'm seeing and means that the WSA cannot do what I had hoped. I would think others may benefit from that feature so maybe an enhancement down the road?


Tim

Highlighted
Cisco Employee

Re: Access Policy Based on AD Computer Objects

Tim,

 

you are right, I was talking about user objects. Let me check if I can file an FR for you.

 

Regards

Shikha Grover