Long delay between AD group changes and web appliance seeing the

zlajoie · ‎09-26-2012

I am currently evaluating a Cisco S170 - OS 7.1.3-021 for Web. I have set it up to use our Active Directory to allow access to specific access policies based on the group they are in. There are 2 groups - 1. "Internet Access" group allows basic web access, but blocks social media. 2. "Internet Access - Social Media" group allows basic web access and social networking sites. The problem I am having is if I move a user from Internet Access to Internet Access - Social Media then it takes probably an hour before the Cisco appliance sees the move and allows the user the new access. I am verifying this through the Policy Trace under the System Administration link. I have verified that the 2 domain controllers in use see the move immediately, so I don't think they are causing the issue.

Is there a time setting that I can use to force it to resync with the domain controllers faster?

Christian Rahl · ‎09-26-2012

The following is the quickest solution.

Navigate to System Administration -> Log Subscriptions.

Click on Authlogs.

Change the Log Level from Information to Trace. Submit and commit the changes.

Once that is done go back and set the Log level to whatever you had it at before.

This will force an update of the groups.

As for time settings, there are currently none.

Christian Rahl

Customer Support Engineer

Cisco IronPort - Web Security Appliances

Cisco Technical Assistance Center RTP

United States Ironport: 1-877-641-IRON (4766)

Ken Stieers · ‎09-26-2012

Chris,

Since the box is a member of the domain, and I presume its getting a full Token, wouldn't the group membership come over if they have to re-auth? So if your surrogate timed out say, every 15 min, wouldn't you get close to what Zak is looking for?

Ken

Christian Rahl · ‎09-26-2012

Not completely. Even if a user has to re-authenticate, we might not get the most up to date group information. There is a combination of the Basic Authentication TTL settings and surrogate settins.

If the Basic Authentication TTL timer hits the refresh then the next time the user authenticates the user will be corrected. So if the surrogates are set to 3600 and the TTL is set to 3600 it could be 2 hours before everything updates.

You can decrease those timers however that will increase the amount of authentication the box has to do. This will put the Ironport under more strain.

The quickest solution is to use the authlogs process.

Christian Rahl

Ken Stieers · ‎09-26-2012

Zak,

Chech Network/Authentication... the Global Authentication Settings. Specifically "Basic Authentication TTL", and in the Transparent Proxy Mode Authentication Settings box, the Credential Cache Options timeouts...

And you really should upgrade that box to 7.5, and look at the ADAgent...

Ken

Christian Rahl · ‎09-26-2012

Even with TUI, the TTL will still affect the user and group match. The nice thing about TUI is you get rid of the surrogate timer.

Christian Rahl

zlajoie · ‎09-26-2012

I just received the appliance on Monday, so I thought it had the latest build. I'll check the update options now.

Thanks for the reply.

Edit: I wasn't familiar with the TUI term that Christian referenced, had to google it. I'm getting the 7.5 build installed now. I guess I'll have to still change the Authlog level to force a resync with the new build too? Not a big deal, I just need to document it for my support staff. Thanks for all the replies. I was pleasantly surprised to see them after returning from lunch

Ken Stieers · ‎09-26-2012

But nobody want's to go touch the log process everytime a user is changed in AD...

So the answer is a little of both...

Tweak the timers down a bit, but not too far...and be ok with some lag before a change takes place, unless you can't be OK (CEO says "I must see facebook!111!") so you go twiddle the log settings...

blech...

Long delay between AD group changes and web appliance seeing the change