I already Gone through

Nishad Dadhaniya · ‎03-04-2015

Hello team I am not able to see IP to Host Mapping on wsa , Below are the details given

Step 1

Install CDA integrate with AD and Consumer Device added

Step 2

Configure WSA for Authentications

---

Test result for above Configuration

Checking DNS resolution of WSA hostname(s)...
Failure: Unable to resolve 'mgmt.proxy1.XXXX.local' :
Unknown hostname
Success: Resolved 'proxy1.XXXX.local' address: 172.16.254.21

Checking DNS resolution of Active Directory Server(s)...
Success: Resolved '172.20.0.225' address: 172.20.0.225
Success: Resolved '172.20.0.226' address: 172.20.0.226

Checking DNS resolution of AD Server(s)' full computer name(s)...
Success: Resolved 'dc05.XXXX.LOCAL' address: 172.20.0.225
Success: Resolved 'dc06.XXXX.LOCAL' address: 172.20.0.226

Validating configured Active Directory Domain...
Success: Active Directory Domain Name for '172.20.0.225' : XXXX.LOCAL
Success: Active Directory Domain Name for '172.20.0.226' : XXXX.LOCAL

Attempting to get TGT...
Success: Kerberos Tickets fetched from server '172.20.0.225' :
kinit: NOTICE: ticket renewable lifetime is 1 week
Success: Kerberos Tickets fetched from server '172.20.0.226' :
kinit: NOTICE: ticket renewable lifetime is 1 week

Checking local WSA time and server time difference...
Warning: Cannot check system time on AD server '172.20.0.225'
Warning: Cannot check system time on AD server '172.20.0.226'

Attempting to fetch group information...
Success: Able to query for Group Information from Active Directory server '172.20.0.225'.
Success: Able to query for Group Information from Active Directory server '172.20.0.226'.

Checking DNS resolution of Primary Active Directory Agent...
Success: Resolved '172.30.30.100' address: 172.30.30.100

Validating Shared Secret between WSA and Primary AD Agent...
Success: AD Agent 172.30.30.100 verified shared secret

Test completed: Errors occurred, see details above.

step 4 : IP - Host Mapping on WSA

I am not able to get IP - Host Mapping on WSA can please some one help me on same , did i missed any Step or any additional configuration needs to be done ?

Below are the device details Which will help

WSA

Current Version
===============
UDI: S170 V05 FCZ1807XXXU
Name: S170
Description: Cisco IronPort S170
Product: Cisco IronPort S170 Web Security Appliance
Model: S170
Version: 7.5.2-304
Build Date: 2014-03-19

CDA

Cisco Application Deployment Engine OS Release:
ADE-OS Build Version:
ADE-OS System Architecture: i386

Copyright (c) 2005-2011 by Cisco Systems, Inc.
All rights reserved.
Hostname: CDA

Version information of installed applications
---------------------------------------------

Cisco Context Directory Agent
---------------------------------------------
Version      : 1.0.0.011
Build Date   : Tue May  8 15:34:26 2012
Install Date : Mon Nov 17 11:16:21 2014     

Cisco Context Directory Agent Patch
---------------------------------------------
Version      : 3
Build number : NA
Install Date : Wed Nov 19 12:09:25 2014

Let me know if any further info required .

spellluck · ‎03-04-2015

Did you due your diligence on the CDA with the service account? What domain are you connecting to, does it have 2012 and above that need the special DCOM permissions?

Do you have an Identity Policy that makes use of the LDAP/Passive Authentication? Do you have said Identity Policy mapped into an Access Policy?

Does the CDA itself show any mappings? How about the WSA? For the WSA, you can use the command line to check current mappings. You're looking for the "authcache" > "list" command structure for the WSA CLI.

Nishad Dadhaniya · ‎03-05-2015

Thanks for your Valuable comment ,

Did you due your diligence on the CDA with the service account?

Ans:- I dont remember Do it need to be Admin Account or similar Privileges ?

What domain are you connecting to, does it have 2012 and above >that need the special DCOM permissions?

Yes its 2012 Server , I dont know Much Server side last time i had configured As per CDA guide then again Server guy removed some server and brought some new Servers and he configured it so i think i need to check again on server everything is configured or not , What is DCOM Permissions i am not aware about it mean while i will start digging about it in CDA guide but if you can point me somewhere more specific it will be Good :)

Do you have an Identity Policy that makes use of the LDAP/Passive Authentication? Do you have said Identity Policy mapped into an Access Policy?

ANS: No LDAP/Passive Authentication is not used .

Does the CDA itself show any mappings? How about the WSA?  For the WSA, you can use the command line to check current mappings. You're looking for the "authcache" > "list" command structure for the WSA CLI.

yes CDA shows Mappings for WSA i will post Output and update Post as i dont know about this command good to have something :)

spellluck · ‎03-05-2015

Add an identity policy that uses passive authentication and stick it in one of your access policies.

Did you see anything under the authcache list?

And yes, special permissions are required for the CDA AD service account. They're clearly listed in the CDA configuration guide linked by kushsriva.

Nishad Dadhaniya · ‎03-07-2015

@spellluck

Sorry for Late replay , As You mentioned to create Identity Policy and mapped to Access Policy , its already configured By using Active Directory (Kerberos, NTLMSSP or Basic Authentication) , just to be sure here is screen short of my lab WSA as at this moment i dont have access to client WSA ,

kushsriva · ‎03-05-2015

Hi,

The CDA user requires some specific permissions on the Active Directory so that it can pass on the user-to-ip mappings to the Context Directory Agent and forward it to the WSA.

You can go the CDA Installation guide and check the "Active Directory Requirements for Successful Connection with CDA" section to make sure the proper rights have been assigned.

http://www.cisco.com/c/en/us/td/docs/security/ibf/cda_10/Install_Config_guide/cda10/cda_install.html#pgfId-1074403

Regards,

Kush

Nishad Dadhaniya · ‎03-05-2015

I already Gone through Several Times this guide Let me verify once again everything , I am getting Mapping on CDA but not on wsa that means CDA is able to retrieve Data from AD ?

Ivo Sabev · ‎03-08-2015

The reporting page for bandiwdth used shows users only if they were authenticated. Your configuration may be correct and everything to work fine ,but if you do not have a single identity asking for authentication. If you have, but no user is matched against it, again there wil lbe nothing.

To check whether authentication is working correct with CDA< use tuiconfig on the CLI of WSA.

To check the authentication cache -> authcache. The reporting page citied is last resort for checks.

Also please give us lines from authlog from WSA containing any errors

Nishad Dadhaniya · ‎03-19-2015

I want to confirm one thing is that possible to show user-name instead of IP address on reports right on wsa because that what i am trying to achieve by this as per customer requirement .

Edit :- I got My Answer Yes its possible , I got confused because my friend told me that is not possible

I think i got it now ,i am not able to understand till now your first sentence :)

here are the info u requested

Status of AD Agent 172.30.30.100 for realm Dummy_Removed
Primary AD agent is up for realm Dummy_Removed
AD Agent up for 11h 29m 56s
Last contact with AD Agent was at: Thu, 19 Mar 2015 23:29:37
Active Directory Server                                      Connection Status   
--------------------------------------------------------------------------------
Dummy_Removed                                                         up                  

Choose the operation you want to perform:
- ADAGENTSTATUS - Print the status of the AD agent(s) WSA is connected to
- LISTLOCALMAPPINGS - List locally stored mappings got from AD agent
[]> LISTLOCALMAPPINGS

Local mappings for realm -  Dummy_Removed

IP Address       User Name                                                   
----------------------------------------------------------------------------
172.18.11.111    Dummy_Removed\mghazaly                                               
172.18.11.38     Dummy_Removed\halemadi

wsa IP to Host Mapping