08-21-2013 01:13 PM
Hi,
We need to configure an exception to allow the network 10.0.53.0/24 not require validation in Ironport WSA. however users of this network must pass through all content filters appropriate according to their AD group.
NOTE: I need that Ironport don´t send request to Active Directory, when users to network 10.0.53.0/24 need go to internet.
regards,
Yerko.
08-21-2013 02:04 PM
Hi Yerko,
You have to use authentication in order for users to be applied to an access policy based on an AD group. If you want the users to be passed through the WSA unauthenticated you can do so by creating a no authentication identity based on IP class or subnet. But you will not be able to use AD groups as the WSA does not maintain a listing of users and groups as that would require AD to be installed and licensed on the WSA.
Sincerely, 
 
Erik Kaiser 
WSA CSE 
WSA Cisco Forums Moderator
08-21-2013 02:48 PM
Actually this appliance are licensed with following features keys:

it´s necesary other feature ?
If you have news, let me know please.
regards,
Yerko
08-21-2013 10:58 PM
Greetings Yerko,
No other features are required for the authentication piece.
In order for the WSA to determine what AD Groups a user/IP belongs to, it will need to do authentication. Therefore, you will not be able to bypass authentication based on AD group. I hope this helps.
-Vance
08-22-2013 12:49 PM
Then it's no possible that idea : "We need to configure an exception to allow the network 10.0.53.0/24 not require validation in Ironport WSA. however users of this network must pass through all content filters appropriate according to their AD group."
IS NO POSSIBLE ??????????
08-22-2013 10:17 PM
That is correct. This is not possible.
Correct me if I am wrong. It sounds like you do not want Authentication, but still would like to control them using the AD group.
You might want to look into using the Context Directory Agent. With a Context Directory Agent, the agent will scan the Active Directory security logs for logon events. It will build a User-to-IP mapping table. When the users in the 10.0.53.0/24 network access the internet, they will not need to authenticate. The WSA will query the Context Directory Agent and see who is on the IP address. If there is a user, then AD groups can be used. If there is no user, then the user will be a Guest.
The Context Directory Agent runs on CentOS. It will need to be hosted on a dedicated machine, or a virtual machine. The required disk space is 120gb.
-Vance
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide