cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1370
Views
0
Helpful
5
Replies

Ironport don´t send request to Active Directory

Hi,

     

We need to configure an exception to allow the network 10.0.53.0/24 not require validation in Ironport WSA. however users of this network must pass through all content filters appropriate according to their AD group.

NOTE: I need that Ironport don´t send request to Active Directory, when users to network 10.0.53.0/24 need go to internet.

regards,

Yerko.

5 Replies 5

Erik Kaiser
Cisco Employee
Cisco Employee

Hi Yerko,

You have to use authentication in order for users to be applied to an access policy based on an AD group. If you want the users to be passed through the WSA unauthenticated you can do so by creating a no authentication identity based on IP class or subnet. But you will not be able to use AD groups as the WSA does not maintain a listing of users and groups as that would require AD to be installed and licensed on the WSA.

Sincerely,

Erik Kaiser
WSA CSE
WSA Cisco Forums Moderator

Sincerely, Erik Kaiser WSA CSE WSA Cisco Forums Moderator

Actually this appliance are licensed with following features keys:

it´s necesary other feature ?

If you have news, let me know please.

regards,

Yerko

Greetings Yerko,

No other features are required for the authentication piece.

In order for the WSA to determine what AD Groups a user/IP belongs to, it will need to do authentication.  Therefore, you will not be able to bypass authentication based on AD group.  I hope this helps.

-Vance

Then it's no possible that idea : "We need to configure an exception to allow the network 10.0.53.0/24 not require validation in Ironport WSA. however users of this network must pass through all content filters appropriate according to their AD group."

IS NO POSSIBLE ??????????

That is correct.  This is not possible.

Correct me if I am wrong.  It sounds like you do not want Authentication, but still would like to control them using the AD group.

You might want to look into using the Context Directory Agent.  With a Context Directory Agent, the agent will scan the Active Directory security logs for logon events.  It will build a User-to-IP mapping table.  When the users in the 10.0.53.0/24 network access the internet, they will not need to authenticate.  The WSA will query the Context Directory Agent and see who is on the IP address.  If there is a user, then AD groups can be used.  If there is no user, then the user will be a Guest.

The Context Directory Agent runs on CentOS.  It will need to be hosted on a dedicated machine, or a virtual machine.  The required disk space is 120gb.

-Vance