Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1647
Views
0
Helpful
6
Replies

CDA gathering wrong user name, therefore web polices not working

Go to solution
keithsauer507
Level 5
Level 5

‎02-20-2015 05:38 AM

Hello,

Normally Youtube and social media are blocked for our organization, except for Marketing department as they handle our social media.  Today I had a ticket saying youtube was blocked.  They provided the link and I see the system is not detecting them as their user name.  It is detecting them as 'scriptlogicuser'.  I checked in CDA and sure enough the user's IP address is mapped to 'scriptlogicuser'.

 

This is a user account that is used in Dell Desktop Authority (previously Quest Desktop Authority, Previously ScriptLogic Desktop Authority).

This is an application suite that can manage a number of login script settings via a web interface.  You can attach printers, map drives, run scripts, install programs, etc...  There is a user account called scriptlogicuser which this service uses to do admin type tasks.  If the user does not have local admin rights (which is best practice in a place of Business), then it uses this account to do administrative settings behind the scenes.


Is there a way to ignore this user name either in Active Directory logging, or CDA?  Doing a quick filter for scriptlogicuser, I return 32 differnet computers logged on between 2/19 13:53 and 2/20 13:36 (I take it that is GMT time).

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Collin Clark
VIP Alumni
VIP Alumni
In response to keithsauer507

‎02-23-2015 09:22 AM

http://www.cisco.com/c/en/us/td/docs/security/ibf/cda_10/Install_Config_guide/cda10/cda_wrkng.html#36486

Works like a champ through CDA, done it many times.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
keithsauer507
Level 5
Level 5

‎02-20-2015 05:51 AM

This user is working now.  What would of triggered a re-authentication?  Would opening Outlook wrote to the DC log that would have been picked up by CDA?

 

CDA scans every 60 seconds.

Webfilter has an IP surrogate timeout of 120 seconds.

Let me throw this out at you...

Lets say the user logged in, and is detected as 'scriptlogicuser' because when you log in, the login script runs as that context.

Lets say the user immediately tried to fire up youtube.

Blocked right?

 

Ok another scenario, lets say the user opens up Outlook.  Windows ntlm authentication automatically connects it to that users Exchange mailbox.  Is a log written to a DC here that the CDA will pick up?  Assuming they open outlook successfully, within 180 seconds max (60 for CDA plus 120 for surrogate timeout on webfilter - worst case), their internet access should work?

It's important for us to get CDA right because we eventually want to use it with newer ASA firewalls we have yet to configure.

 

 

0 Helpful

Go to solution
Collin Clark
VIP Alumni
VIP Alumni
In response to keithsauer507

‎02-23-2015 09:18 AM

You can set the username scriptlogicuser to be ignored in CDA. I don't have one in front of me right now, but it should be pretty obvious through the menus.

0 Helpful

Go to solution
keithsauer507
Level 5
Level 5
In response to Collin Clark

‎02-23-2015 09:20 AM

Ok right off the bat, I didn't see anything.  I'll check the documentation too.

 

This is what I got back from Dell technical support on this issue.  Perhaps another solution would be to somehow get CDA to filter on logon type 2 via WMI query.

 

     The service account scriptlogicuser is obviously not the interactive logged on user.  It is a service account and therefore should not be detected as the interactive logged on user by the Cisco application.  The Cisco application should be filtering for a specific logon type 2 which will distinguish it from the various other logon types.  You can use WMI to independently query for the interactive logged on user by entering the following at a command prompt:  WMIC /Node:computername ComputerSystem Get UserName.  I would recommend that you contact the vendor and ask them if there is a method to instruct the application to ignore that service account or to filter on the appropriate specific logon type.

0 Helpful

Go to solution
Collin Clark
VIP Alumni
VIP Alumni
In response to keithsauer507

‎02-23-2015 09:22 AM

http://www.cisco.com/c/en/us/td/docs/security/ibf/cda_10/Install_Config_guide/cda10/cda_wrkng.html#36486

Works like a champ through CDA, done it many times.

0 Helpful

Go to solution
keithsauer507
Level 5
Level 5
In response to Collin Clark

‎02-23-2015 09:27 AM

Genius!

 

Somehow I thought that was to "filter the live list" as in to report on it.  

I put the user in there and they vanished.  Browsed the live map a little and also noticed a few service accounts on servers.  Added things like a backup account and SM_* (Exchange health mailboxes) and it really cleaned things up.

 

Thank you again!

0 Helpful

Go to solution
Collin Clark
VIP Alumni
VIP Alumni
In response to keithsauer507

‎02-23-2015 09:29 AM

Yeah not the most intuitive element. Glad to hear it's working for you.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents