cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
4235
Views
5
Helpful
5
Replies
federico.morales
Beginner

Ironport WSA and Active Directory Groups.

We have an WSA that is joined to an Active Directory Domain.

We have a user that is member of the group Users and the group Managers

When we generate an Access Police and we set to match the group Managers it does not match.

If I do a Policy trace it shows that it does not retrieve the group managers for the user.

Can anyone help me to associate the police to the  group?

Regards

Federico

5 REPLIES 5
edadios
Cisco Employee

Hello Federico,

Do  you actualy have an Identity that is specifically configured with the group identified explicitly?

If not, please configure for this.

Also, if the user is not matching that group? What is the identity the logs says it is matchying.

Once you got the access log, you can work on configuring an identity that should be matched first by the trffic, so you can apply an access policy to it.

It should first match the identity, then it apply the access policy.

I hope this helps you.

Regards,

Eric

Hello Eric,

Thanks for your reply.

Yes I have set the identity to the specific group.

I'm seeing that it does not match on the policy trace. Its matching the general category that I have for all users.

Regards,

Federico

Instead of using policy trace, do a real traffic test, and get the actual access logs, and try to work out from there what you match, and see how you can manipulate the configuration to match the user group you want.

Does theaccess policy edit group area actualy show this group in the list?

Also, ensure you have a simple group name, no spaces in the name of the group.

I did some more testing... the really strange thing that is happening is for some users the group is retrived and used and for other users with the same configuration in the AD.

The issue was resolve after the WSA was removed from the AD and re joined.

Note that the proxy will does not update its group listing until that user authenticates.  Once you make the changes, please ensure in the accesslogs that the user is authenticating.  In the log subscriptions, please add %g as a custom field for the accesslogs for future reference.

Content for Community-Ad

This widget could not be displayed.