Solved: Re: Ldap User authentification WSA vs SMA

stephane boudreau · ‎10-04-2022

Hi Everyone,

I am setting up two WSA devices managed by an SMA device. I am working on setting up the WSA LDAP for user authentification (having issues but that is another subject) What I trying to figure out is the relationship between the WSA settings and the SMA settings for LDAP. The settings don't seem to be a one to one match. I've attach the screen shots of both the Group settings, but i can't for the life of me find the proper settings on the SMA side.

I've setup the WSA side, but don't want to crush those settings with improper settings on the SMA side.

If someone could help or direct me in a proper direction?

Regards

Stephane Boudreau

Ken Stieers · ‎10-04-2022

On the WSA, under Network/Authentication, you can add an LDAP Realm if you want users to authenticate to the WSA using basic auth. In a Windows based network, you'd usually join the WSA to the domain, and create an Active directory realm that uses Kerberos and/or NTLMSSP along with ISE/ISE-PIC to get transparent auth. We also set up an LDAP realm for external authentication, and reference that in System Administration/Users, so that admins of the WSA can use their AD creds, not the local accounts. We don't set the user/group queries, as we're relying on ISE-PIC for that.
On the SMA, we set up an LDAP realm as well, also to be used for external authentication of admins. Since we also use the SMA for our ESA, we do enable the Spam Quarantine queries.
Since it sounds like you're using LDAP and basic auth to for your users to auth to the WSA and you'll be pushing configs from the SMA, the Realms have to have the same name. You're not pushing the actual LDAP config (user hitting the LDAP server, which LDAP serves) from the SMA to the WSA, just the config of the Identity Profile... so that has to lineup/work on the WSA.

View solution in original post

Ken Stieers · ‎10-04-2022

On the WSA, under Network/Authentication, you can add an LDAP Realm if you want users to authenticate to the WSA using basic auth. In a Windows based network, you'd usually join the WSA to the domain, and create an Active directory realm that uses Kerberos and/or NTLMSSP along with ISE/ISE-PIC to get transparent auth. We also set up an LDAP realm for external authentication, and reference that in System Administration/Users, so that admins of the WSA can use their AD creds, not the local accounts. We don't set the user/group queries, as we're relying on ISE-PIC for that.
On the SMA, we set up an LDAP realm as well, also to be used for external authentication of admins. Since we also use the SMA for our ESA, we do enable the Spam Quarantine queries.
Since it sounds like you're using LDAP and basic auth to for your users to auth to the WSA and you'll be pushing configs from the SMA, the Realms have to have the same name. You're not pushing the actual LDAP config (user hitting the LDAP server, which LDAP serves) from the SMA to the WSA, just the config of the Identity Profile... so that has to lineup/work on the WSA.

amojarra · ‎10-09-2022

Hi @stephane boudreau

regarding the relation between WSA's LDAP and SMA's LDAP:

SMA's LDAP configuration is for its own credential (users being able to login to SMA via Active Directory Credential)

For internet User's list and Group's list, SMA fetch those Data from WSA. SMA never establish a connection to Active Directory in case of getting Users/ Groups list. (This is why there some defects - for some versions - that SMA is not showing the Group list and you could manually enter the desired record such as: DOMAIN\Group'sName )

Regards,

Amirhossein Mojarrad

+++++++++++++++++++++++++++++++++++++++++++++++++++

++++ If you find this answer helpful, please rate it as such ++++

+++++++++++++++++++++++++++++++++++++++++++++++++++