I am new to WSA and wants to understand user authentication concept/flow. We want to authenticate users transparently and apply web policy as per AD group. We will integrate WSA with AD using NTLPSSP.
WSA needs user name for applying policy. I understand that Client web bowser sends user name in web request. Hence WSA can obtain that user name and can verify with AD for validity. This should be straight forward.
But as per User guide for AsyncOS 11.0, Cisco Context Directory Agent (CDA) is required for transparent user identification.
I am not sure why we require CDA, if WSA is able to get username from client web browser http get request and can verify with AD?
My understanding may be wrong.
Kindly help me to understand CDA's requirement
I assume that you have deployed WSA in Explicit Forward proxy mode and integrated with Microsoft AD. If end user system is part of domain, user authentication will happen transparently. I don't think CDA is required. I have deployed WSA without CDA and transparent authentication works fine.
Note: Make sure that all test results are successful when you run a test query while doing Authentication integration with AD. If any one fails, you will have challenge at the user side related to authentication
Cisco CDA agent maps IP Addresses to usernames in order to allow WSA to understand which user is using which IP Address in the network. This can be used when WSA is deployed in transparent mode..
So does it mean that we need CDA when WSA is deployed in transparent mode and transparent user authentication is required?
I believe HTTP request contains username and domain name. WSA can verify username with AD and allow as per policy. So why we still need CDA in this case?