03-04-2015 01:49 AM
Hello team I am not able to see IP to Host Mapping on wsa , Below are the details given
Step 1
Install CDA integrate with AD and Consumer Device added
Step 2
Configure WSA for Authentications
---
Test result for above Configuration
Checking DNS resolution of WSA hostname(s)... Failure: Unable to resolve 'mgmt.proxy1.XXXX.local' : Unknown hostname Success: Resolved 'proxy1.XXXX.local' address: 172.16.254.21 Checking DNS resolution of Active Directory Server(s)... Success: Resolved '172.20.0.225' address: 172.20.0.225 Success: Resolved '172.20.0.226' address: 172.20.0.226 Checking DNS resolution of AD Server(s)' full computer name(s)... Success: Resolved 'dc05.XXXX.LOCAL' address: 172.20.0.225 Success: Resolved 'dc06.XXXX.LOCAL' address: 172.20.0.226 Validating configured Active Directory Domain... Success: Active Directory Domain Name for '172.20.0.225' : XXXX.LOCAL Success: Active Directory Domain Name for '172.20.0.226' : XXXX.LOCAL Attempting to get TGT... Success: Kerberos Tickets fetched from server '172.20.0.225' : kinit: NOTICE: ticket renewable lifetime is 1 week Success: Kerberos Tickets fetched from server '172.20.0.226' : kinit: NOTICE: ticket renewable lifetime is 1 week Checking local WSA time and server time difference... Warning: Cannot check system time on AD server '172.20.0.225' Warning: Cannot check system time on AD server '172.20.0.226' Attempting to fetch group information... Success: Able to query for Group Information from Active Directory server '172.20.0.225'. Success: Able to query for Group Information from Active Directory server '172.20.0.226'. Checking DNS resolution of Primary Active Directory Agent... Success: Resolved '172.30.30.100' address: 172.30.30.100 Validating Shared Secret between WSA and Primary AD Agent... Success: AD Agent 172.30.30.100 verified shared secret Test completed: Errors occurred, see details above.
step 4 : IP - Host Mapping on WSA
I am not able to get IP - Host Mapping on WSA can please some one help me on same , did i missed any Step or any additional configuration needs to be done ?
Below are the device details Which will help WSA Current Version =============== UDI: S170 V05 FCZ1807XXXU Name: S170 Description: Cisco IronPort S170 Product: Cisco IronPort S170 Web Security Appliance Model: S170 Version: 7.5.2-304 Build Date: 2014-03-19
CDA
Cisco Application Deployment Engine OS Release: ADE-OS Build Version: ADE-OS System Architecture: i386 Copyright (c) 2005-2011 by Cisco Systems, Inc. All rights reserved. Hostname: CDA Version information of installed applications --------------------------------------------- Cisco Context Directory Agent --------------------------------------------- Version : 1.0.0.011 Build Date : Tue May 8 15:34:26 2012 Install Date : Mon Nov 17 11:16:21 2014 Cisco Context Directory Agent Patch --------------------------------------------- Version : 3 Build number : NA Install Date : Wed Nov 19 12:09:25 2014
Let me know if any further info required .
03-04-2015 02:52 PM
Did you due your diligence on the CDA with the service account? What domain are you connecting to, does it have 2012 and above that need the special DCOM permissions?
Do you have an Identity Policy that makes use of the LDAP/Passive Authentication? Do you have said Identity Policy mapped into an Access Policy?
Does the CDA itself show any mappings? How about the WSA? For the WSA, you can use the command line to check current mappings. You're looking for the "authcache" > "list" command structure for the WSA CLI.
03-05-2015 03:09 AM
Thanks for your Valuable comment ,
Did you due your diligence on the CDA with the service account?
Ans:- I dont remember Do it need to be Admin Account or similar Privileges ?
What domain are you connecting to, does it have 2012 and above >that need the special DCOM permissions?
Yes its 2012 Server , I dont know Much Server side last time i had configured As per CDA guide then again Server guy removed some server and brought some new Servers and he configured it so i think i need to check again on server everything is configured or not , What is DCOM Permissions i am not aware about it mean while i will start digging about it in CDA guide but if you can point me somewhere more specific it will be Good :)
Do you have an Identity Policy that makes use of the LDAP/Passive Authentication? Do you have said Identity Policy mapped into an Access Policy?
ANS: No LDAP/Passive Authentication is not used .
Does the CDA itself show any mappings? How about the WSA? For the WSA, you can use the command line to check current mappings. You're looking for the "authcache" > "list" command structure for the WSA CLI.
yes CDA shows Mappings for WSA i will post Output and update Post as i dont know about this command good to have something :)
03-05-2015 07:09 AM
Add an identity policy that uses passive authentication and stick it in one of your access policies.
Did you see anything under the authcache list?
And yes, special permissions are required for the CDA AD service account. They're clearly listed in the CDA configuration guide linked by kushsriva.
03-07-2015 11:29 PM
Sorry for Late replay , As You mentioned to create Identity Policy and mapped to Access Policy , its already configured By using Active Directory (Kerberos, NTLMSSP or Basic Authentication) , just to be sure here is screen short of my lab WSA as at this moment i dont have access to client WSA ,
03-05-2015 12:17 AM
Hi,
The CDA user requires some specific permissions on the Active Directory so that it can pass on the user-to-ip mappings to the Context Directory Agent and forward it to the WSA.
You can go the CDA Installation guide and check the "Active Directory Requirements for Successful Connection with CDA" section to make sure the proper rights have been assigned.
http://www.cisco.com/c/en/us/td/docs/security/ibf/cda_10/Install_Config_guide/cda10/cda_install.html#pgfId-1074403
Regards,
Kush
03-05-2015 03:17 AM
I already Gone through Several Times this guide Let me verify once again everything , I am getting Mapping on CDA but not on wsa that means CDA is able to retrieve Data from AD ?
03-08-2015 03:33 PM
The reporting page for bandiwdth used shows users only if they were authenticated. Your configuration may be correct and everything to work fine ,but if you do not have a single identity asking for authentication. If you have, but no user is matched against it, again there wil lbe nothing.
To check whether authentication is working correct with CDA< use tuiconfig on the CLI of WSA.
To check the authentication cache -> authcache. The reporting page citied is last resort for checks.
Also please give us lines from authlog from WSA containing any errors
03-19-2015 01:32 PM
I want to confirm one thing is that possible to show user-name instead of IP address on reports right on wsa because that what i am trying to achieve by this as per customer requirement .
Edit :- I got My Answer Yes its possible , I got confused because my friend told me that is not possible
I think i got it now ,i am not able to understand till now your first sentence :)
here are the info u requested
Status of AD Agent 172.30.30.100 for realm Dummy_Removed Primary AD agent is up for realm Dummy_Removed AD Agent up for 11h 29m 56s Last contact with AD Agent was at: Thu, 19 Mar 2015 23:29:37 Active Directory Server Connection Status -------------------------------------------------------------------------------- Dummy_Removed up Choose the operation you want to perform: - ADAGENTSTATUS - Print the status of the AD agent(s) WSA is connected to - LISTLOCALMAPPINGS - List locally stored mappings got from AD agent []> LISTLOCALMAPPINGS Local mappings for realm - Dummy_Removed IP Address User Name ---------------------------------------------------------------------------- 172.18.11.111 Dummy_Removed\mghazaly 172.18.11.38 Dummy_Removed\halemadi
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide