Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
901
Views
5
Helpful
11
Replies

WSA, ISE, with HTTPS

irissen
Level 1
Level 1

‎07-04-2022 09:18 PM

I have an WSA S170 (Async 9), ISE (v2.0), Active Directory, WCCP router, no CDA server

 

With HTTP traffic, I believe it is doable for transparent authentication (WSA > ISE)

However for HTTPS traffic, whereby the WSA should have a browser prompt for user login after enabling HTTPS Proxy, does the WSA also contact the ISE to authenticate users? Or does it need to have integration with AD by itself, directly?

I am trying to avoid the case of WSA contacting AD as it uses SMBv1

 

Thanks in advance

Labels:
0 Helpful
11 Replies 11

balaji.bandi
Hall of Fame
Hall of Fame

‎07-04-2022 11:39 PM 

WSA S170

This is the end of life last year, I do not believe anything broken cisco can support

 

(Async 9),

stable release and TAC support were 13. X or 14. is the latest, so you need to look at some features that may be not work as expected.

 

WSA can use ISE for user authentication - but there is some minimum requirements to be in place :

 

for reference check the below guide :

 

https://www.cisco.com/c/en/us/products/collateral/security/web-security-appliance/guide-c07-741637.html

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

irissen
Level 1
Level 1
In response to balaji.bandi

‎07-05-2022 12:13 AM

thanks, sorry the versions are quite old and out of support.

when you say some features may not work as expected, is there an experience or issue that was known?

also concerned that with the old versions, is it feasible at all? 

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to irissen

‎07-05-2022 02:30 AM

its been Long time worked on WSA aysnc 9.

 

Please check the configuration guide : (its possible for radius authentication)

 

https://www.cisco.com/c/dam/en/us/td/docs/security/wsa/wsa9-0/WSA_9-0-0_UserGuide.pdf

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

irissen
Level 1
Level 1
In response to balaji.bandi

‎07-07-2022 06:28 PM

okay thanks

0 Helpful

Rob Ingram
VIP
VIP

‎07-04-2022 11:45 PM

@irissen if WSA and ISE are integrated using pxGrid, then the WSA has the user information (user/ip binding) to authenticate the users without prompting.

0 Helpful

irissen
Level 1
Level 1
In response to Rob Ingram

‎07-05-2022 12:06 AM

thanks, does this mean WSA can run solely off the integration with ISE, without the need to create any realms for AD?

0 Helpful

Rob Ingram
VIP
VIP
In response to irissen

‎07-05-2022 02:09 AM

@irissen as per the guide below, WSA obtains ISE (user/IP mappings) and AD group information for authenticated users from ISE using ERS.

 

https://www.cisco.com/c/en/us/products/collateral/security/web-security-appliance/guide-c07-741637.pdf

 

1.png

amojarra
Cisco Employee
Cisco Employee
In response to Rob Ingram

‎07-05-2022 02:42 AM

Hi @irissen 

I am referring form userguide 14.0 but that could be the same

 

Kindly notice that 

 

 

User Guide for AsyncOS 14.0 for Cisco Web Security Appliances - GD (General Deployment)

page 88 

 

under section : Identifying Users Transparently

 

 

[1] When you configure an Identification Profile to transparently identify users, the authentication surrogate must be IP address. You cannot select a different surrogate type.

 

[2] From identification profile on the policies which are sets to authenticate users please select “Transparently identify users with authentication realms”

 

 

this is the latest version of ISE and WSA compatibility Matrix, maybe it help you to decide clearly regarding the upgrade plan 

ISE Compatibility Matrix for Secure Web Appliance - Cisco

 

 

+++++++++++++++++++++++++++++++++++++++++++++++++++

++++   If you find this answer helpful, please rate it as such  ++++

+++++++++++++++++++++++++++++++++++++++++++++++++++

0 Helpful

irissen
Level 1
Level 1
In response to amojarra

‎07-07-2022 06:32 PM

hi amojarra,

i think my version does not have this option.. for authentication realms are given as Kerberos and LDAP only. ISE is a separate section by itself. Asked my question specifically for Async 9.0, as I am in a situation with no possible means to upgrade

0 Helpful

irissen
Level 1
Level 1
In response to Rob Ingram

‎07-07-2022 06:30 PM

thanks Rob

if directly reading from the diagram, WSA should purely rely on ISE for identifying user-IP mappings.

I guess the next question would be.. does the ISE also use SMBv1 to connect with AD?

0 Helpful

amojarra
Cisco Employee
Cisco Employee
In response to irissen

‎07-08-2022 04:13 PM

Hi @irissen 

 

Thanks for the reply 

It is so sad that you can not upgrade at this moment, hope things gets well soon

According to the user guide : User Guide for AsyncOS 9.0 for Cisco Web Security Appliances - LD (Limited Deployment)

page 132 E-Book, there is an option :  Fallback to Authentication Realm or Guest Privileges

If you have another Realm with AD and this option is configured to use that realm, then WSA will try connect to AD if Auth failed with ISE.

 

For ISE V2.0, what I can see in Active Directory Integration with Cisco ISE 2.x - Cisco under section "Network Ports That Must Be Open for Communication" ISE is using MSRPC instead of SMB.

 

from release note : Cisco Identity Services Engine Administrator Guide, Release 2.0 page 225 E-book :

Cisco ISE 1.3 and above support SMB 2.0.

 

+++++++++++++++++++++++++++++++++++++++++++++++++++

++++   If you find this answer helpful, please rate it as such  ++++

+++++++++++++++++++++++++++++++++++++++++++++++++++

 

0 Helpful
Customers Also Viewed These Support Documents