Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1325
Views
5
Helpful
3
Replies

Two Identification Profiles in Access/Decryption Policy (AND/OR)

Sakun Sharma
Level 1
Level 1

‎03-29-2017 05:11 PM

Hello

It is a silly question, but do multiple identification profiles in one access/decryption policy work with OR/AND operation? Can user belong to either one of them to hit the policy or both?

Async OS 9.1.2-022

Thanks

Sakun

Labels:
0 Helpful
3 Replies 3

Tao Yang
Cisco Employee
Cisco Employee

‎03-29-2017 05:23 PM

WSA will try to match the Identity firstly and all conditions in Identity are AND.  After matching the Identity, WSA will try to match the Access Policy, therefore the Identity being used by Access Policy is independent. There is no relationship between the Identities in one Access Policy.

Please bear in mind that WSA will match from top and it will move to the next stage as soon as it matches.

Hope it helps and please mark my reply as correct answer if it does.

Sakun Sharma
Level 1
Level 1
In response to Tao Yang

‎03-29-2017 06:01 PM

Hi Tao

Thanks for the response.

Just need some more clarification based to make sure I understood correctly.

Let's consider a below scenario:

Identification Policy

Policy 1. Match subnet x and exempt for authentification

Policy 2. Any subnet based and use AD realm for authentication

Access Policy

Rule 1: Identification profile - Policy 1 and Policy 2 (AD group HRDept)

Rule 2: Identification profile - Policy 2 (AD Group FinDept)

Rule 3: Identification profile - Policy 1

Based on your answer, WSA first checks the Identification policy and then check Access policy. So in below scenario:

  1. User belong to Subnet x and access any website.
    1. WSA will match Identify Policy 1, as user belong to subnet X
    2. WSA will match Access Rule 1, as it got Identification Policy 1
  2. User belong to HRDept AD group
    1. WSA will match Identification Policy 2, AD realm based authentication
    2. WSA will match Access Rule 1, as it got Identification Policy 2 and HRDept AD group
  3. User belong to FinDept AD group
    1. WSA will match Identification Policy 2, AD realm based authentication
    2. WSA will match Access Rule 2, as it got Identification Policy 2 and FinDept AD group

Is that right?

Thanks

Sakun

0 Helpful

pepiscop
Level 1
Level 1
In response to Sakun Sharma

‎03-31-2017 02:22 PM

Here Sakun, to answer your questions - 

Based on your answer, WSA first checks the Identification policy and then check Access policy. So in below scenario:

  1. User belong to Subnet x and access any website.
    1. WSA will match Identify Policy 1, as user belong to subnet X
    2. WSA will match Access Rule 1, as it got Identification Policy  

Correct : Identify Policy 1 will be hit since we are within the subnet X (+exempt from auth)

  1. User belong to HRDept AD group
    1. WSA will match Identification Policy 2, AD realm based authentication
    2. WSA will match Access Rule 1, as it got Identification Policy 2 and HRDept AD group

Correct: This is correct under the assumption that User does not belong to Subnet X

  1. User belong to FinDept AD group
    1. WSA will match Identification Policy 2, AD realm based authentication
    2. WSA will match Access Rule 2, as it got Identification Policy 2 and FinDept AD group

Correct: This is correct under the assumption that User doest not belong to Subnet X

0 Helpful
Customers Also Viewed These Support Documents