Cisco Cisco Web Security Appliance S670 Troubleshooting Guide

Contributed by Kei Ozaki and Siddharth Rajpathak, Cisco TAC
Engineers.
Jul 18, 2014

How do I create Access Policy Groups that match Active Directory (AD) Groups?

The first step is to configure an authentication realm (NT LAN Manager (NTLM) realm) and an Identity
which uses the authentication realm.

−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

Create an NTLM realm on the Web Security Appliance (WSA) under Network > Authentication.

1. 

Once you have your NTLM realm configured, choose Web Security Manager > Identities, then click
Add Identity.

2. 

Follow these steps to create an identity:

Name: Auth.Id

1. 

Insert Above: 1

2. 

Define Members by Authentication: <NTLM realm name>

3. 

Scheme: Use Basic or NTLMSSP or Use NTLMSSP

4. 

Leave all other settings as default.
If you want to test authentication against selected clients, use Define Members By Subnet
and specify the IP of the requesting client. This allows the WSA to request authentication for
these selected clients only.

5. 

Click Submit.

6. 

3. 

At this point you should only have two identities, Auth.Id and Global Identity Policy, with authentication
enabled on Auth.Id Identity.

The next step is to use the Auth.Id Identity and create access policies based on this Identity. You can specify
required AD groups or users in the access policies.
−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

Choose GUI > Web Security Manager > Access Policies.

1. 

Click Add Policy.

2. 

Follow these steps to create an Access policy:

Policy Name: Sales.Policy

1. 

Insert Above Policy: 1

2. 

Identity Policy: Auth.Id − Specifiy authorized groups and users

3. 

Enter the group names manually, or click Refresh Directory to get the list of users that exist
on your AD. Once you have selected the users, click Add.

4. 

3.