Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1395
Views
0
Helpful
6
Replies

Access Policy Based on AD Computer Objects

Tim Jackson
Level 1
Level 1

‎07-24-2019 09:05 AM

Is it possible to create either an Identity or Access Policy scoped to a group of AD computer objects? We currently restrict a group of workstations by adding their IPs to an identity. This is cumbersome, as the IPs need to be reserved ahead of time and explicitly added to the WSA identity. It would be much easier if we could associate it to an AD group where we could delegate some permission to modifying that group as access needs to be restricted. Thoughts?


Thanks,
Tim

Labels:
0 Helpful
6 Replies 6

asvarghe
Cisco Employee
Cisco Employee

‎07-24-2019 08:42 PM

Dear Tim,

 

Please find my inputs below - 

1. Active directory can be integrated with WSA. Steps to integrate are given in the user guide - 

https://www.cisco.com/c/en/us/td/docs/security/wsa/wsa11-0/user_guide/b_WSA_UserGuide/b_WSA_UserGuide_chapter_01001.html

 

2. Once the AD is integrated, WSA can pull group information from WSA, these groups can be leveraged in the access policies to apply restrictions.

 

Screen Shot 2019-07-25 at 9.10.23 AM.png

 

3. Click on the group hyperlink and WSA will display the group information.

 

Regards,
Ashish Varghese
*** Rate All Helpful Responses ***

0 Helpful

shgrover
Cisco Employee
Cisco Employee

‎07-24-2019 08:44 PM

Hello Tim,

 

you can put all these computers in a group on AD and call the group or individual usernames in the access/decryption policies, whenever these systems try to go out the network on 80/443 the wsa will be able to match the policies you set for them.

 

Regards

Shikha Grover

PS: Please don't forget to rate and select as validated answer if this answered your question

 

0 Helpful

Tim Jackson
Level 1
Level 1
In response to shgrover

‎07-25-2019 07:12 AM

I have tried that in the past and it doesn't seem to work. To be clear, I'm talking about adding Computer objects to the group, not user objects. The WSA only seems to be able to look at the logged in user. The computer name never shows up anywhere in the logs. Are you sure the WSA has this capability? User identification has always worked as expected via Kerberos.

0 Helpful

Ken Stieers
VIP
VIP
In response to Tim Jackson

‎07-25-2019 07:45 AM

IRC when a user logs in that takes over as owner of the ip.
0 Helpful

Tim Jackson
Level 1
Level 1
In response to Ken Stieers

‎07-25-2019 08:22 AM

Thanks Ken,

 

Confirms what I'm seeing and means that the WSA cannot do what I had hoped. I would think others may benefit from that feature so maybe an enhancement down the road?


Tim

0 Helpful

shgrover
Cisco Employee
Cisco Employee
In response to Tim Jackson

‎07-26-2019 06:02 AM

Tim,

 

you are right, I was talking about user objects. Let me check if I can file an FR for you.

 

Regards

Shikha Grover 

 

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents