Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
257
Views
1
Helpful
3
Replies

Cisco WSA - trusted domain - AD group

lmoceze
Level 1
Level 1

‎09-05-2025 03:28 AM

Hello Fellow networkers! 

I am facing the problem, that I have my friends the old remote domain: olddomain.local 
They are so nice, because they trust me and want to use my fancy Cisco WSA Proxies (running 12.5 and 14.0). 
But my domain is joined to our new shiny domain: newdomain.business .
My other friends who are managing servers, already did the trust between the domains (two way).
However, when the friends from olddomain.local wants to access something on the internet - that should be allowed based on the category and the AD-group membership, it denies them. 
I have added the AD-group olddomain.local\Internet to the Access-policy by typing it in simpy (Trusted domain lookup was not really working.)
We also tried to add the AD-group olddomain.local\Internet to add the AD-group newdomain.business\Internet, but the access is still denied. 
What is puzzling me though, when I check the logs, the ad_group_memberships = said "olddomain.local\Internet" (now it says: olddomain.local\Internetnewdomain.business\Internet ).
Oh and it also sees the user: OLDDOMAIN\MyFriend .

So my understading is that it can see the Group membership, but something is missing in the Access-Policy?
Or is it the other way around?

Maybe someone has more understanding about the topic?
Thank you for the help! 

Labels:
0 Helpful
3 Replies 3

balaji.bandi
Hall of Fame
Hall of Fame

‎09-05-2025 04:01 AM 

We also tried to add the AD-group olddomain.local\Internet to add the AD-group newdomain.business\Internet, but the access is still denied.

this is depends on how the policy setup, go to command level and check the Logs what is the reason its denied access.

Login  to command level

> tail

> 1 for access logs

follow the guided steps, you can add username or regex where the username denied and check the logs, what policy it hitting and denied to give you direction.

 

some reference (i am sure you already setup done this)

https://community.cisco.com/t5/security-knowledge-base/ad-group-based-policy-wsa/ta-p/3155772#:~:text=on%20%E2%80%8E08-05-2015,select%20the%20Identity%20created%20above.

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

lmoceze
Level 1
Level 1
In response to balaji.bandi

‎09-05-2025 04:39 AM

Thanks for the answer! 
I have this for example: 

Sep 5 10:54:44 superproxy.noc accesslogs: Info: 1757062474.715 8 172.25.20.172 NONE/503 0 CONNECT tunnel://internet.com:443/ "OLDDOMAIN\MyFriend@LOCALDOMAIN" NONE/internet.com - DECRYPT_WEBCAT_7-DP.BlockAny-ID.WEB.LocalAD-NONE-NONE-NONE-DefaultGroup-NONE <"nc",ns,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,"nc",-,"-","-","-","Unknown","Unknown","-","-",0.00,0,-,"-","-",-,"-",-,-,"-","-",-,-,"-",-,-> - - transaction_id = 949790, http_user_agent = -, ad_group_memberships = "olddomain.local\Internet,newdomain.business\Internet", auth_mechanism = NTLMSSP [ tx_1st_byte_to_server = 0, tx_request_header = 0, tx_response_header = 0, tx_client_body = 0 ] [ rx_1st_request_byte = 0, rx_request_header = 0, rx_client_body = 0, rx_1st_response_byte = 0, rx_response_header = 0, rx_server_response = 0, rx_disk_cache = 0, rx_auth_response = 8, rx_dns_response = 0, rx_wbrs_response = 0, rx_avc_response = 0, rx_avc_total = 0, rx_dca_response = 0, rx_dca_total = 0, rx_mcafee_response = 0, rx_mcafee_total = 0, rx_sophos_response = 0, rx_sophos_total = 0, rx_webroot_response = 0, rx_webroot_total = 0, rx_anti_spyware_response = -, rx_Latency = 8 ] local_time = "05/Sep/2025:10:54:34 +0200"

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to lmoceze

‎09-07-2025 12:10 PM 

NONE/503 0 CONNECT tunnel://internet.com:443/ "OLDDOMAIN\MyFriend@LOCALDOMAIN" NONE/internet.com - DECRYPT_WEBCAT_7-DP.BlockAny-ID.WEB.LocalAD-NONE-NONE-NONE-DefaultGroup-NONE

this provide you information what need to done,

  • The NONE/503 code in Cisco WSA logs means the WSA failed in the HTTP CONNECT tunneling process to the HTTPS site.

  • The user context OLDDOMAIN\MyFriend@LOCALDOMAIN shows the authenticated user for whom the request was processed.

  • The policy tag DECRYPT_WEBCAT_7-DP.BlockAny-ID.WEB.LocalAD indicates the proxy applied a Web Categorization (WebCat) and decryption policy that likely blocked the request based on security rules.

this may required some troubleshoot and understand the rules.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Customers Also Viewed These Support Documents