Ironport getting machine name instead of AD user

cgarringer · ‎06-21-2012

This week we started getting problems from users being rejected by the Ironport S650. This was after correcting a misconfiguration that had the final policy allowing access instead of a global BLOCK access. What we found was that user's were sending the machine account instead of the user's AD account name. We did find some hits on allowing winupdate, etc that the machine apparently attempts on bootup and did that. We are still seeing the problem. One user especially, starts on wireless OK for <1hr, no access for 18 min. (timeout is 15 min) and the next request sends the machine name. User switches to a wired connection and sends AD user name. Then there is a 8 minute break and the user is sending the machine name again. This is happening for about 6 users out of 900. Is there anyway to get the Ironport to ignore machine accounts (no $@AD allowed?)

We are on 7.1.3-014 on the Ironport, AD is 2008R2. users are XP and Windows7

jenmorto · ‎06-21-2012

If you are able/willing to move to 7.5, there's a new feature that allows you to define a timeout value for how long the WSA uses the machine credentials. After the timeout, it prompts users to enter their own credentials. This is a way to work around Windows' NCSI feature. You can read about this feature/enhancement in the 7.5 release notes here:

http://www.cisco.com/en/US/docs/security/wsa/wsa7.5/release_notes/WSA_7.5.0_Release_Notes.pdf

And that references where you can read about the feature in the 7.5 user guide. (The “Working with Windows 7 and Windows Vista” section in the “Authentication” chapter of the Cisco IronPort AsyncOS for Web User Guide.)

Jennie