Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3903
Views
10
Helpful
7
Replies

Transparent user ID vs Authenticated user

tahequivoice
Level 2
Level 2

‎03-24-2015 11:48 AM

Reviewing a setup, and noticed in the later version of code, 8.0 for example, there are two methods for access.  Since FF and Safari have issues authenticating access when browsing, and IE does not, would the transparent user ID work the same way for authenticated users, and how would that work with AD?

1 person had this problem
Labels:
0 Helpful
7 Replies 7

Handy Putra
Cisco Employee
Cisco Employee

‎03-28-2015 06:18 PM

When you have transparent user ID enable and using AD agent(Context Directory Agent - CDA), this mechanism that maps IP Addresses to usernames in order to allow security gateways to understand which user is using which IP Address in the network, so those security gateways can now make decisions based on those users (or the groups to which the users belong to).

CDA monitors in real time a collection of Active Directory domain controller (DC) machines for authentication-related events that generally indicate user logins; learns, analyzes, and caches mappings of IP Addresses and user identities in its database; and makes the latest mappings available to its consumer devices.

Scenario example:

User machine logs in to the domain and CDA agent will catch the user credentials information and map with the IP address of the client and store it in local cache then pass the info to the WSA.

If the AD server down for example, the CDA will still be able to relay information regarding the users from its local cache to WSA.

 

For more information regarding Transparent user identification or CDA, please see below link for overview:

http://www.cisco.com/c/en/us/td/docs/security/ibf/cda_10/Install_Config_guide/cda10/cda_oveviw.html

 

mauricioharley
Level 1
Level 1
In response to Handy Putra

‎07-03-2015 01:58 AM

Hello, mates,

 

I have a S170 WSA with AsyncOS version 8.5.1-021.  I also have CDA deployed and configured.  Authentication tests say everything is good, including connection with CDA.  HTTPS decryption is activated as well.

 

However, my users are still getting authentication prompts everyday and many times inside the same day.  It happens randomly and is browser-independent.  I changed authentication timeouts from default values of 3600 seconds to 86400 (one day) but it did not solve the issue (please check attached image).

 

Could you please help me find the final solution to this?

 

I appreciate,

Mauricio Harley

Preview file
80 KB
0 Helpful

David Niemann
Level 3
Level 3
In response to mauricioharley

‎08-12-2015 12:53 PM

You actually configure it to use the CDA agent under Identities.  In one of your Identities, you select Identify Users Transparently under Identification and Authentication.  This also assumes you have the CDA enabled under Network -> Authentication -> Authentication Realm ->Active Directory Agent.  You have to check the box for Enable Transparent User Identification using Active Directory Agent.  You need to have the Server defined under Primary Active Directory agent along with the shared secret you created on the CDA system.

0 Helpful

David Niemann
Level 3
Level 3
In response to Handy Putra

‎07-20-2015 09:39 AM

If CDA is down will the WSA use the pass thru authentication from the user's browser as a failback authentication mechanism?

0 Helpful

David Niemann
Level 3
Level 3
In response to Ken Stieers

‎08-12-2015 11:48 AM

If CDA doesn't have the authentication information will the WSA try to get the creds from the browser?

0 Helpful

Ken Stieers
VIP
VIP
In response to David Niemann

‎08-12-2015 12:58 PM

Yes.

 

0 Helpful
Customers Also Viewed These Support Documents