Transparent user ID vs Authenticated user

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-24-2015 11:48 AM
Reviewing a setup, and noticed in the later version of code, 8.0 for example, there are two methods for access. Since FF and Safari have issues authenticating access when browsing, and IE does not, would the transparent user ID work the same way for authenticated users, and how would that work with AD?
- Labels:
-
Web Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-28-2015 06:18 PM
When you have transparent user ID enable and using AD agent(Context Directory Agent - CDA), this mechanism that maps IP Addresses to usernames in order to allow security gateways to understand which user is using which IP Address in the network, so those security gateways can now make decisions based on those users (or the groups to which the users belong to).
CDA monitors in real time a collection of Active Directory domain controller (DC) machines for authentication-related events that generally indicate user logins; learns, analyzes, and caches mappings of IP Addresses and user identities in its database; and makes the latest mappings available to its consumer devices.
Scenario example:
User machine logs in to the domain and CDA agent will catch the user credentials information and map with the IP address of the client and store it in local cache then pass the info to the WSA.
If the AD server down for example, the CDA will still be able to relay information regarding the users from its local cache to WSA.
For more information regarding Transparent user identification or CDA, please see below link for overview:
http://www.cisco.com/c/en/us/td/docs/security/ibf/cda_10/Install_Config_guide/cda10/cda_oveviw.html
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-03-2015 01:58 AM
Hello, mates,
I have a S170 WSA with AsyncOS version 8.5.1-021. I also have CDA deployed and configured. Authentication tests say everything is good, including connection with CDA. HTTPS decryption is activated as well.
However, my users are still getting authentication prompts everyday and many times inside the same day. It happens randomly and is browser-independent. I changed authentication timeouts from default values of 3600 seconds to 86400 (one day) but it did not solve the issue (please check attached image).
Could you please help me find the final solution to this?
I appreciate,
Mauricio Harley
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-12-2015 12:53 PM
You actually configure it to use the CDA agent under Identities. In one of your Identities, you select Identify Users Transparently under Identification and Authentication. This also assumes you have the CDA enabled under Network -> Authentication -> Authentication Realm ->Active Directory Agent. You have to check the box for Enable Transparent User Identification using Active Directory Agent. You need to have the Server defined under Primary Active Directory agent along with the shared secret you created on the CDA system.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-20-2015 09:39 AM
If CDA is down will the WSA use the pass thru authentication from the user's browser as a failback authentication mechanism?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-20-2015 01:22 PM
Yes.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-12-2015 11:48 AM
If CDA doesn't have the authentication information will the WSA try to get the creds from the browser?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-12-2015 12:58 PM
Yes.
