Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
749
Views
0
Helpful
3
Replies

Cisco WSA - Office365 Authentication bypass - USER REPORTING

administrator31
Level 1
Level 1

‎09-18-2018 03:28 PM

Good Morning All

 

We have recently setup two Cisco S300V WSA (Virtual)

 

I have been advised that it's best practice to setup a  "Custom and External URL Categories" for Office365 where Authentication bypass is set. This is complete and working.

 

My problem is when we run monthly reporting on user bandwidth usage - The reporting is showing 90% IP addresses. When speaking to Cisco TAC, they advise this is because the main traffic is non Authenticated traffic (office365.com). Does anyone else have this problem when it comes to reporting? I can't provide people with a list of IP addresses as user bandwidth usage. 

 

I'm also concerned what would happen if I removed office365.com from the bypass list.

 

Does anyone else do user reporting?

Labels:
0 Helpful
3 Replies 3

balaji.bandi
Hall of Fame
Hall of Fame

‎09-18-2018 07:11 PM

What Cisco TAC mentioned is correct, depends on your organisation policy, if all the users going to office  365 cloud for business, that will be most of the traffic in day to day operation.

 

how is other rules other than office365 ? how many rules in WSA ? How us your authentication against AD ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

administrator31
Level 1
Level 1
In response to balaji.bandi

‎09-18-2018 10:21 PM

Thanks for your reply.

 

The issue is the user report shows as IP addresses and not User (active directory names)

 

This is because the Office365 traffic is set as Auth Bypass and wont report as a "user"

 

So the top bandwidth is shown as IP addresses (of machines). I'm assuming if i remove the Auth bypass then traffic will show as users because each user would need to authenticate the traffic. Not sure if this would break other things setting Auth all Office traffic

0 Helpful

Ken Stieers
VIP
VIP
In response to administrator31

‎09-19-2018 04:29 AM

It could break stuff if you aren't getting authentication some how before you start office apps.

If you still have 2012 domain controllers, you could deploy CDA.

As a test, ssh to the wsa and tail the access log, use the ip of a workstation as the regular expression. The login to that box and then go to any website that would require authentication.
Then open Outlook... you should see user id on that traffic.


If you deploy a CDA, or have ISE with passive identity, your can feed authentication info to the WSA before users hit any Office365 sites.
0 Helpful
Customers Also Viewed These Support Documents