WSA Proxy IOT/Gaming Devices Question

agreer001 · ‎10-26-2021

Hi Everyone,

In our organization we use Oculus Goggles and various other IOT devices via WCCP. Its becoming increasingly difficult to manage these devices and each network connection they use. For example, for the Oculus Goggles, they are not on our AD Domain, do not use Kerberos for authentication and do not have access to the certificates store so we can import our intermediate certificate. What we end up doing is setting that device with a DHCP reservation and assign it to its own Identification policy with URL Categories. In these URL categories we use the AccessLogs to see what domains the device connects to and then we exclude those domains from the goggles, however each time they want to use a new game or update we have to go through this process each time.

Does anyone have any recommendations for a better way to manage these devices and provide a better user experience for the users?

Thanks,

Ken Stieers · ‎10-26-2021

A couple things come to mind.
1. Are you using ISE? You could tag these devices and use SGT tags to let these devices go wherever. Or use ISE to put them on a different vlan and treat that vlan differently.
2. Do they have a user agent string that is unique? Or can you set one on each device? You can use that for an identity to use for its own policy.

agreer001 · ‎10-26-2021

Hi Ken, thanks for the update. We are not using ISE... yet. We actually have a project kicking off in the next few weeks to get that started.

As for the User-Agent we don't have control to set a user-agent on these devices. I also through about a user-agent based bypassed but since we are intercepting the traffic our logs are not showing the User-Agent. Here is an example accesslog for the URL's that we captured. This is a log message for URLs or IP's that we have identified and added to our passthrough URL category for this IP.

10 19 2021 16:36:34 10.100.53.11 <LOC7:INFO> Oct 19 16:36:34 wsa-mgmt.craig-hospital.org accesslogs: Info: 1634661393.461 146838 <ip> TCP_MISS/200 7568 TCP_CONNECT 157.240.18.10:443 - DIRECT/157.240.18.10 - PASSTHRU_CUSTOMCAT_7-VRs_Goggles-NONE-NONE-NONE-NONE-NONE <"C_Ocul",7.1,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,"IW_snet",-,"-","Social Networking","-","Unknown","Unknown","-","-",0.41,0,Local,"-","-",-,"-",-,-,"-","-",-,-,"-",-> -

Then here is another log message of traffic that is not passing through the proxy and the Oculus Goggles are not working. I don't see a user-agent being present in these log messages. Typically I would take this IP and add it to the above PASSTHRU-list.

1635260772.674 9 <ip> TCP_MISS_SSL/200 0 TCP_CONNECT 142.250.69.226:443 - DIRECT/googleapis.com - DECRYPT_ADMIN_2-NONE-Kerberos-NONE-NONE-NONE-NONE-NONE <"IW_adv",0.5,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,"IW_snet",-,"-","Social Networking","-","Unknown","Unknown","-","-",0.00,0,Local,"-","-",-,"-",-,-,"-","-",-,-,"-",-> -

balaji.bandi · ‎10-26-2021

May be capture user agent based identification.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

agreer001 · ‎10-26-2021

Hi Balaji, thanks for responding. I posted above to Ken's response, but the logs are not capturing the User-Agent.

Ken Stieers · ‎10-26-2021

Add user agent to your logs.

go to System administration/Log subscriptions.

Open Access Logs.

in the "Custom Fields" box, add "%u" (without the quotes)

if you want it labeled in the log, you can do something like this

UA: %u

Save and commit.

That should add user agent to the access log

agreer001 · ‎10-26-2021

I guess responding via email is not going to work for this forum. Anyways, i've updated the log subscription and will report back once the device connects! Thanks for the input.

Ken Stieers · ‎10-26-2021

?????