In this and other posts we’ll discuss the Cisco Web Security Appliance. This is the blog agenda:
Part 1: Introduction
Part 2: Installing
Part 3: Deploying Proxy Services
Part 4: Policies
Part 5: Acceptable use & HTTPS Inspection
Part 6: Authentication
Part 7: Defending malware
This is the 6th part of the series.
A proxy is no real proxy without user authentication. That’s what I’m going to discuss in this post. Authentication is needed for logging and user tracking.
- Basic (local accounts)
- NTLMSSP (for Microsoft Active Directory)
In explicit forwarding mode you can use straightforward proxy authentication. In transparant mode you have to fool the WSA.
In case all authentication services are unavailable, you can choose to permit or block all traffic. You can find this setting in Network > Authentication, click Edit Global Settings.
This is a Cisco ISE blog post series with some how-to’s for configuring the ISE deployment, This blog post series exists of 10 parts.
The blogpost Agenda:
Part 1: introduction
Part 2: installation
Part 3: Active Directory
Part 4: High Availability
Part 5: Configuring wired network devices
Part 6: Policy enforcement and MAB
Part 7: Configuring wireless network devices
Part 8: Inline posture and VPN
Part 9: Guest and web authentication
Part 10: Profiling and posture
This week, part 3: Active Directory
Microsoft Active directory is the mostly used directory. Cisco ISE can get membership in only 1 AD forest in ISE 1.1.x.
Check the following requirements:
- Correctly configured NTP
- Firewall ports: tcp: 389, 636, 445, 88, 3268, 3289, 464
- Firewall ports: udp: 389, 123
- All firewall ports are needed for the policy nodes
- NAT is not supported!!
A local identity store is desired as a fallback in the event that the external identity store cannot be contacted. This is optional.
Click Administration – Identity management – Groups and click Add to add a new group. (Bulk import is available)
Under Administration – Identity management – identities – users, users can be created and linked to the usergroup.