Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3420
Views
6
Helpful
5
Replies

Admin Authentication on WSA using LDAP

Michael Pare
Level 1
Level 1

‎02-16-2016 11:33 AM

I'm trying to configure admin authentication on our WSA S170.  I've had this working for years on our ESA S170 no problem and was delighted when I saw that this was added in 8.5.

We are running AsyncOS 8.5.3-069.  Despite the lack of documentation for this in the User Guide, I thought I had it figured out:

Under Network->Authentication

Created and tested LDAP authentication realm OK

Created External Authentication Query under that realm, it tested OK.  User and group queries worked fine.

Under System Administration->Users->External Authentication

Enabled external authentication OK using LDAP, selected my LDAP External Authentication Query fine.

I added the group names and mapped them to roles on the WSA

Log out and log back and try logging back in using my AD admin account - no go.  I tried my AD non-admin account - same issue, no go.

Both of my AD accounts are in groups that I mapped in the last configuration step above.

Despite having added this feature - I have not been able to find out a whole lot of documentation on specifically how to implement, and miss any gotchas.

Attached is a screen shot.  I copied this field for field from my ESA.  The only change I had to make to get the tests to work was the group membership query string I had to change {u} to {dn}

Our network security auditors don't like seeing shared, local accounts in use for our network infrastructure so I'm hoping to have this feature working before our audit next month.

1 person had this problem
Labels:
Preview file
92 KB
0 Helpful
5 Replies 5

Ken Stieers
VIP
VIP

‎02-16-2016 11:46 AM

I think you want memberof for the query string to tell if a user in the group

             (&(objectClass=Group)(memberof={dn}))

This is my group query from my ESA...

(&(memberOf={g})(proxyAddresses=smtp:{a}))

0 Helpful

Ken Stieers
VIP
VIP

‎08-31-2016 01:59 PM

I think I found a bug in this:

If you go to your ESA and test the external auth query, specifically the group membership, it will show doing a query with the login you enter and then doing the group query with the DN of the login.

On the WSA it just uses the login you entered again...

0 Helpful

Tao Yang
Cisco Employee
Cisco Employee
In response to Ken Stieers

‎08-31-2016 06:24 PM

I managed to reproduce this issue in my lab while using “(&(objectClass=group)(member={u}))” for ”Query String to determine if a user is a member of a group:” configurations in WSA. Can you please use “(&(objectClass=group)(member={dn}))” instead ot see if it helps?

Ken Stieers
VIP
VIP
In response to Tao Yang

‎09-01-2016 07:00 AM

Hey Tao,

That worked... But am I right in that the WSA should work like the ESA does?

Ken

0 Helpful

Tao Yang
Cisco Employee
Cisco Employee
In response to Ken Stieers

‎09-01-2016 04:46 PM

Hello Ken,

I know that part looks similar for WSA and ESA. However actually they are different from the back end code level. As option "dn" works for WSA, it looks more like the design rather than defect.

Hope it helps.Please rate or mark the question as answered if this helps. 

Customers Also Viewed These Support Documents