Solved: Re: Question regarding WSA Identification Profiles

FredrikW73 · ‎08-18-2020

Hi,
I am quite new to the WSA. I have a question that I hope someone can answer.

I find the below comment from the WSA user guide peculiar

https://www.cisco.com/c/en/us/td/docs/security/wsa/wsa11-7/user_guide/b_WSA_UserGuide_11_7/b_WSA_UserGuide_11_7_chapter_0110.html
Document: User Guide for AsyncOS 11.7 for Cisco Web Security Appliances - GD (General Deployment)
Chapter: Classify End-Users for Policy Application

Heading: Classifying Users and Client Software,

Step 8 In the Membership Definition section, under Advanced/URL Categories:

"If you need to define membership by URL category, only define it in the Identity group when you need to exempt from authentication requests to that category."

Why is it not OK to specify an URL category that requires authentication?

Ken Stieers · ‎08-19-2020

If you use a category at the "identity" level, that "becomes the identity" that is used to map which policy is applied. So those transactions are treated as un-authenticated. You'll get an IP in the logs, but not a username because for that specific transaction you don't have one.

Typically in Identification profiles, you'll see the Global Identification profile, which is tied to whatever directory you have (AD, Ldap, etc) and then possibly some exceptions based on IPs, or more rarely a custom category of urls where certain computers or certain sites that don't play will with auth are exempted from authentication.

View solution in original post

balaji.bandi · ‎08-19-2020

Not sure if i have addressed correctly here :

you looking to authenticate every URL - as per general deployment, user already authenticated with central system like AD, AD defined where the user Group belong to and what URL he can access - same can be defined in the access control to define whatgroup to access what content.

is that make sense ? sorry if my answer dispointed, or explain more with example to understand your concern

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

FredrikW73 · ‎08-19-2020

I am looking at a decryption/access policy created long before I joined the network team and try to understand the outcome.

The policy says:

Identification Profiles
Name = Hacking, Autenticate users by Active Directory, Use Kerberos, NTLMSSP or Basic
Auth Surrogate = IP addr, Member subnets - Empty, Member Protocols = HTTP/HTTPS
Proxy ports - Empty, User Agents - Empty, URL Category = Hacking
-------------------------------------------------------------------------------------------
Decryption Policy
Group:
Name = Hacking, Identification Profile = Hacking,
Selected Groups and Users; Groups - EMPTY, Realm = Example-Domain, Users = Example-Domain\username
Proxy Ports - none selected, Subnets - none selected, Time Range - Not defined
User Agents - none selected, URL Categories = URL Categories Hacking in Identification Profile Hacking

URL Filtering: Category - Hacking > Monitor
Web Reputation = Global Policy (Enabled)
Default Action = Global Policy (Pass Through)

The Global policy Have drop for category Hacking
-------------------------------------------------------------------------------------------

Access Policy
Group:
Name = Hacking, Identification Profile = Hacking,
Selected Groups and Users; Groups - EMPTY, Realm = Domain, Users = Domain\username
Protocols = HTTP/HTTPS/FTP over HTTP in Identification Profile Hacking
Proxy Ports - none selected, Subnets - none selected, Time Range - Not defined
User Agents - none selected, URL Categories = URL Categories Hacking in Identification Profile Hacking

Protocols and User Agents = Global Policy (No Blocked items)
URL Filtering: Category - Hacking > Monitor
Applications = Global Policy (most applications allowed)
Objects = Global Policy (No Blocked items)
Anti-Malware and Reputation = Global Policy (both enabled)

The Global policy Have drop for category Hacking
-------------------------------------------------------------------------------------------

From what I can see we require autentication for visitors to websites of the category Hacking.
Unless you are the user listed in the "Hacking policy" you will end up on the Global Policy and
be blocked from visiting the site.

If this is correctly setup the policy named Hacking will require Autentification for the specific URL Category Hacking.

Now, back to the quote about Identification Profiles from the user guide:
"If you need to define membership by URL category, only define it in the Identity group when you need to exempt from authentication requests to that category."

According to this statement the above config is wrong because we are not exempting the Identity group from authentication. So what is the meaning of the quote? It must be of some importance since the user guide explicitly spell it out. Why only define URL category for the purpose of exempting from autentication?

In my example above the purpose is to trigger autentication not to exempt from autentication.

Ken Stieers · ‎08-19-2020

If you use a category at the "identity" level, that "becomes the identity" that is used to map which policy is applied. So those transactions are treated as un-authenticated. You'll get an IP in the logs, but not a username because for that specific transaction you don't have one.

Typically in Identification profiles, you'll see the Global Identification profile, which is tied to whatever directory you have (AD, Ldap, etc) and then possibly some exceptions based on IPs, or more rarely a custom category of urls where certain computers or certain sites that don't play will with auth are exempted from authentication.