SSO on Cisco WSA

Hello

Can someone give me a link concern the implementation of SSO on the WSA? (procedure)?

In NTLM authentication, account registration must already exist on the ad server, or it can be created on the WSA to be accepted by the Ad Server?

Best regards

Hello

User accounts must already exist in Active Directory so that the SINGLE sign-on to work. Now you ask about Single Sign On or you are missing just your users to authenticate transparently when opening IE?

Erik K.

Tags: Cisco Security

Similar Questions

  • Cisco WSA: Is it possible to use the web proxy in transparent mode without WCCP router?

    Hello!

    I would like to use Cisco WSA as a web proxy in a transparent manner (without any configuration of client web browsers), but I do not have a WCCP router. So, is it possible?

    If so, how?

    Thank you

    Stephane Walker

    Hi, Stéphane

    The only alternative to WCCP is ACB (the policy-based routing). With a simple configuration on the router, you can redirect traffic defined also interesting by the WSA access list. On the ASO you must configure transparent mode (security-> Web Proxy Services-> the settings of-> Mode Proxy: Transparent). You should also make sure proxy listens on port 80 and HTTPS proxy is enabled (on port 443) If you want to redirect HTTPS traffic as well.

    Cisco router configuration example

    !
    access-list 110 permit tcp any any eq www
    !
    proxy-redirect allowed route map 10
    corresponds to the IP 110
    set ip next-hop xxx.xxx.xxx.xxx
    !
    interface ethernet0/1
    proxy-redirect IP policy route map
    !

    xxx.xxx.xxx.xxx is the IP address of the proxy in such a case and access-list 110 sets web traffic (HTTP-TCP/80) also interesting.

    The biggest drawback of this solution is the lack of troubleshooting. If the proxy will go down because some reason router will keep redirecting traffic causing the cutoff of internet access.

    Cisco routers out material should also have an option to configure policy routing based.

    / Artur

    PS. It is not possible to place the WSA online between the clients and the internet.

  • 1 box of Cisco Content Management Appliance come Cisco and Cisco WSA RSES.

    Hi all

    I have a question about Cisco Content Management Appliance, could you please help me check the answer.

    My client asked me if they could use a box of management to manage devices ASO and ESA.

    For example, I have 1 box C380 ESA and 1 box WSA S380. Can I use 1 box M380 to manage both of them.

    Thanks for your help.

    Vinh Phan.

    Hello Vinh,

    Yes, you can manage the ESA and the WSA with the same box M380.

    Source:

    http://www.Cisco.com/c/en/us/products/security/content-security-management-appliance/index.html

    "The ADM of Cisco simplifies administration by publishing from a single to multiple email security appliances and web configurations Cisco management console"

    Thank you for evaluating useful messages!

  • Cisco WSA: What is RADIUS CLASS attribute?

    Hello!

    I am trying to use a radius server Cisco ISE as a server external authentication for ASO. I would like to assign roles to groups of users, but I do not understand the meaning of the RADIUS CLASS attribute. What should I write in this area?

    Thank you

    Stephane Walker

    The attribute CLASS is generic, you can put anything in it.   So you get to decide what you use.

    In the box of your RADIUS, for users or the group who it applies to, set it to something like "WSAAdmin" for admins, "WSARO" for read only users...

    Then, when you config the WSA, you set them correctly he...

    But you can really use any string you want, they just need match the appropriate way.

    HTH,

    Ken

  • How to create a strategy to bypass the cache for the WSA URL

    How to create a strategy to bypass cache to a URL on cisco WSA

    You can set the URL to be "ignore" in the web cache (basically set this URL to never be cached in WSA)

    To do this, you'll need to CLI of WSA and question 'webcache' command 'Ignored' and 'URL '.

    example:

    WSA.lab > webcache

    Select the operation to perform:

    -EXPEL - remove URL from cache

    -DESCRIBE - describe the State of URL cache

    -IGNORE - configure domains and URLS never to be cached

    [] > ignore

    Select the operation to perform:

    -DOMAINS - manage domains

    -URL - manage URLS

    []>

  • ORC with CLI Analyzer 2.1 login problems

    Is anyone else having issues to be able to connect to your OCC account via the CLI parser?

    I can access my ORC account via a web browser very well, but when I try to submit my output of the command to the CLI, the CCO login Analyzer analysis fails.  My proxy logs and tests all indicate that connections to the...

    • cloudsso. Cisco.com
    • SSO. Cisco.com
    • API. Cisco.com
    • cway. Cisco.com

    .. .are allowed.  The logs show that the CLI parser contacted cway.cisco.com then nothing afterwards.  The CLI parser shows error "there was a connection error. Check your user name and password and try again. »

    Thoughts?

    Mark, Michael,

    In addition to the changes to your proxy you have also updated the proxy settings in the settings tab in the CLI parser?

    After making the changes you need to restart the application as well.

    Thank you

    John

  • Activity 1.3 comments ISE

    Hello

    in the version of ise 1.3 is a possiblity that I can view comments activity and export it via FTP?

    I'd like to see is: what user opens what site/service. What kind of activity is the guest made while using our wifi comments.

    Concerning

    Filip

    Hello Filip. Such an option is available to the ISE. In addition, only the comments authentication traffic hits ISE. Once authenticated the guest user rail traffic is more of ISE, ISE has therefore no visibility to what the user is doing on the network.

    This type of information would be better perceived by your web security appliance. If, for example, if you have Cisco WSA/CWSA.

    Thank you for evaluating useful messages!

  • Problems with the management of the CSC/Cisco (associated with SSO) site

    Dear friends,

    I came across a problem with single sign - on (SSO) used in the Cisco's Web site and CSC which begins to be more and more awkward:

    1. I visit the CSC and connect you to reply to a thread. Then I start to reply to a message.
    2. In response, I need to consult the technical documentation, guides, configuration or other documents on Cisco's Web site. In another tab in my browser, I visit the Cisco's Web site and do my search/navigation.
    3. At some point, Cisco's Web site acknowledges that I am already connected to the CSC and begins to produce URLs with the /partner/ inside component (for example in the search results). By clicking on this URL causes me be redirected to the page of connection again. This is the first question - why do I have to log in again because I am already connected and SSO is supposed to take care of this?
    4. Well, I re-enter my credentials, get connected, access the necessary document, then I go back to my post on the CSC, finish it and submit it. KABOOM - CCS quickly informs me that I am without permission to perform this action, lose my answer in the process! Logging on to the Web site (as described in step 3) Cisco obviously invalid my current session on CSC! I need to connect again to the SCC (until I do that, she considers me as a guest once again, but when I click on the login link, I suddenly make me connected without enter my credentials) and, well, write again my answer. Sometimes, a part is recoverable, but usually, it is only a small fragment.

    Would it not be possible to correct this behavior? I lost a lot of time my lost rewrite responses.

    Best regards

    Peter

    Hi Peter,.

    I wanted to give you a quick update on the two issues.

    First question:

    We are currently working on a long term and short fix for this problem. Unfortunately the long-term solution will be a drawn out effort as we begin our new data of all content in our heritage Center. The team is currently testing the short-term solution, will keep you posted on the progress that I get more details.

    Second question:

    We currently do analysis of the root causes of this problem and give you updated each week on this issue that deploy us the patch.

    Thanks a lot again for you continued support and patience.

    Sainaba.

  • What product supports offline AD SSO

    Hello

    I read Cyberoam support AD offline for SSO. It copies the data from the user of AD. So when AD down, SSO may still work correctly.

    QUESTIONS RELATING TO THE:

    1. what product support of Cisco that form these lists.

    a. WSA

    (b) the ESA.

    c. CUCM

    d. ISE,

    Thank you

    The closest to this feature use WSA with CDA (context Directory Agent) that serve as authentication agent providing authentication WSA with the users information and store them in its local cache so all the customers from which AD server is offline, authentication will always continue to work.

    The CDA 2 patch, can now work with ISE as well.

    Please see below for the overview:

    http://www.Cisco.com/c/en/us/TD/docs/security/IBF/cda_10/Install_Config_guide/cda10/cda_oveviw.html

  • Finesse SSO Bypass URL

    Dear users of the forum.

    I know these are the URL in order to bypass the SSO admin UCCX and ease of maintenance, but y at - it for Finesse? My customer is having some problems with Finesse and we suspect it might be THAT SSO associate who has been activated after they upgraded to 11.5 UCCX.

    • For Cisco Unified CCX Administration URL: https:///appadmin/recovery_login.htm

    • URL for Cisco Unified CCX of maintainability: https:///uccxservice/recovery_login.htm

    Thank you, Tim.

    Tim, it's not a URL of derivation for the Finesse you for the Administration of the CCX. The only option in the case of SSO does not will be to turn it off and let the agents login and authenticate either against CM or LDAP where CM is integrated with AD.

    Concerning

  • WSA - SSH Vulnerability Patch-

    Hello

    We are trying to install the cisco-sa-20150625-ironport patch on our WSA. When we do the instalation, the WSA restart normally, but the patch, still on display in the available updates.

    Is this normal. Does anyone else have this problem?

    This is a normal operation.

    After completion - you will see this listed in the output of upgrades evident - once it has been applied only once, please ignore for later installation.  If it is turned on again, the output shows that it's already done:

    wsa100v.local > upgrade

    Updates available.
    1 cisco-sa-20150625-ironport SSH Keys vulnerability challenge
    [1] 1 >

    You want to save the current configuration in the configuration directory before the upgrade? [Y] > n

    You want to send the current configuration before upgrading? [N] > n

    Perform an upgrade may require a reboot of the system after the upgrade. You can connect again after that. You want to upgrade? [Y] > y

    Check if "Vulnerability Cisco-Ironport SSH Keys" patch is required
    Patch 'Vulnerability cisco-Ironport SSH Keys' is already applied
    Facility upgrade is complete.

    -Robert

  • SSL certificate for access to the administration of a WSA

    Can someone point me to a guide on how to install an ssl certificate for access to the administration of a WSA?

    Curiously, all the documents that I could find so far talk of SSL certificate for HTTPS decryption...

    Page 367 of this doc.  http://www.Cisco.com/c/dam/en/us/TD/docs/security/WSA/wsa8-0/wsa8-0-6/WSA_8-0-6_User_Guide.PDF

  • WSA error

    Hello world.

    We have the Ironport following in our network:

    UDI: S170 V03 FTX1632M0AA
    Name: S170
    Description: Cisco IronPort S170
    Product: Cisco IronPort Web Security Appliance S170
    Model: S170
    Version: 7.5.2 - 303

    The Director told me that he gets the following error several times during the day, and we do not know how to solve this problem:

    An application error has occurred: (' updater/app_thread.py _set_abandoned_versions: 883', '', '' NoneType' object is unsubscriptable', ' [updater/app_thread.py update_handler |] ") (1149] [updater/app_thread.py _run_update: 739] [updater/app_thread.py _set_abandoned_versions: 883]')

    Product: Cisco IronPort Web Security Appliance S170

    Model: S170

    Version: 7.5.2 - 303

    Serial number: 5057A8E21096-FTX1632M0AA

    Timestamp: 12 August 2014 07:29:24-0500

    To learn more about this alert, visit the Cisco IronPort support Web site.

    http://www.Cisco.com/Web/IronPort/index.html

    Any help would be appreciated! Thank you!!

    Hello

    It seems that you are faced with the question because of bug: CSCzv91509 ( https://tools.cisco.com/bugsearch/bug/CSCzv91509 ), which throws an exception if the WSA is unable to communicate with the cisco update servers.

    Here are the workarounds suggested in the Bug information:

    Workaround solution:
    If the question was inaccessible ironport udpate servers:
    For versions 7.7.x: restore the connection to the Cisco update servers and run 'force tzupdate' in the CLI to force updates
    For versions 7.5 and previous versions: restore the connection to the Cisco update servers and restart the device.

    Were two or more managers trying to download the same update:
    Contact Cisco technical support to stop the additional Manager

    Kind regards

    Kush

  • Imposed restrictions on the WSA-S370 WCCP

    Hi all

    Transparent proxy' design ing.

    WCCP running on ASA5585X - everything configured properly (client and server even vlan - and all works well under low load)

    2 x S370 to assume responsibility for about 4000 users-

    At the moment we have migrate as-is (legacy DMZ) to the new DMZ build (injection default route attracts outbound traffic-) we see that about 8000 sessions are get established and after that it them to become dead slow - users complain that a web page loading takes forever.

    Our initial thought was that the S370 just didn't cut and we had underestimated the load (Cisco expresses the burden with regard to 'users' is very coarse, because a user can trigger obviously hundreds of sessions, HTTP (S) - hard to rate it properly without the forensic data on the "post-haemorrhagic" State.)

    Now - I've read before that scheduled bandwidth that a single S-370 will be able to fill out (and we do a lot of inspection and filtering as it is a highly secure environment) a max of 100 Mbps. Our total capacity of outgoing internet access is 1 Gbit/s to offer a time frame.

    Now here's the kicker - while performance endured - issues we have activated explicit proxy - and these pages loaded very quickly. So my initial theory that the S-370 was entirely flooded was apparently not precise.

    The only diff I recognize that here is that explicit proxy is not build on GRE encapsulation (because it is not even hitting the WCCP redirect - but routed interface to one of the proxies directly).

    Two possibilities-

    • ASA cannot deal with the load - (ASA play WCCP SW - and is not the best platform to perform the WCCP in a relatively important environment - but 8000 sessions is not huge or can't see us high CPU load or any other evidence that guy was out of steam)

    -or-

    S 370 taking a serious blow to the GRE decapsulation at one point-

    Is it all I can get either ASA and S - 370 to identify the real cause.

    Attached graphics (for a single S370) are attached - this day-1 (19 Nov) - migration began around 10:00.

    The second (20th) day - are not direct traffic tied (customer did not have any other attempts before that we can identify the problem)-we did what we could to simulate a substantial load with Load Runner on a few laptops but I realize counts rise time and horsepower IO may not approach the total amount of actual users who propulseraient in the moment that would change us the default gateway new

    We have an open TAC cases - that I had hoped would learn us that we have either underestimated the required number of WSA for design or out of the ASA as a WCCP server - so far nothing conclusive however.

    Kind regards

    Rik

    This ACL is going on the 'redirection list' in the GUI.  He coontrols that the traffic gets thown you can be redirected to had it, twice without it.

    7.7 is SO slow.  Notice of the ATC should have 7.5...  8.x has a lot of performance fixes.

  • Cisco NAC appliance - after a success does not change users to connect to the vlan propper

    Hello

    I am new to cisco NAC BURNERS and I have to troubleshoot an implementation. It is a real OOB IP gateway configuration. Users can connect to the Pentecost the CCA, but after the connection of this success, they remain on the role not authenticated, as well as on this vlan. I checked the SNMP protocol and seems to work very well. Also, I checked the logs on nac_manager.log and there is nothing surprising, in fact I see nothing about this user or IP address that connects.

    Also the user does not appear on the list of users online on cam.

    Can someone help me figure out how can I fix? version 4.8, I'll post any information requested

    Thank you

    We recently had the problem with Windows AD SSO and Windows 7 clients.

    Would authenticate the XP clients very well, however, Windows 7 clients would not authenticate and will remain just on the authenticated vlan.

    Our question was looking for CASE SSO account, we installed on AD. It only support the encryption, WHICH has no Windows 7 64. We turned off "Use OF THE encryption" on the account authentication UNIQUE AD and re-tested.

    What are the parameters of the port-profile to which is applied the switchport?

    What is the map settings vlan ports trunk not approved or confidence?

Maybe you are looking for