Cisco Cisco Web Security Appliance S380 User Guide
5-7
AsyncOS 9.1.1 for Cisco Web Security Appliances User Guide
Chapter 5 Acquire End-User Credentials
Authentication Planning
Transparent User Identification with Active Directory
Active Directory does not record user log-in information in a format that is easily queried by other
systems such as the Web Security appliance. Active Directory agents, such as Cisco’s Context
Directory Agent (CDA), are necessary to query the Active Directory security event logs for information
about authenticated users.
systems such as the Web Security appliance. Active Directory agents, such as Cisco’s Context
Directory Agent (CDA), are necessary to query the Active Directory security event logs for information
about authenticated users.
AsyncOS for Web communicates with the Active Directory agent to maintain a local copy of the
IP-address-to-user-name mappings. When AsyncOS for Web needs to associate an IP address with a user
name, it first checks its local copy of the mappings. If no match is found, it queries an Active Directory
agent to find a match.
IP-address-to-user-name mappings. When AsyncOS for Web needs to associate an IP address with a user
name, it first checks its local copy of the mappings. If no match is found, it queries an Active Directory
agent to find a match.
For more information on installing and configuring an Active Directory agent, see
Setting Up an Active
Directory Agent to Provide Information to the Web Security Appliance, page 5-7
.
Consider the following when you identify users transparently using Active Directory:
•
Transparent user identification with Active Directory works with an NTLM or Kerberos
authentication scheme only. You cannot use it with an LDAP authentication realm that corresponds
to an Active Directory instance.
authentication scheme only. You cannot use it with an LDAP authentication realm that corresponds
to an Active Directory instance.
•
Transparent user identification works with the versions of Active Directory supported by an Active
Directory agent.
Directory agent.
•
You can install a second instance of an Active Directory agent on a different machine to achieve high
availability. When you do this, each Active Directory agent maintains IP-address-to-user-name
mappings independently of the other agent. AsyncOS for Web uses the backup Active Directory
agent after three unsuccessful ping attempts to the primary agent.
availability. When you do this, each Active Directory agent maintains IP-address-to-user-name
mappings independently of the other agent. AsyncOS for Web uses the backup Active Directory
agent after three unsuccessful ping attempts to the primary agent.
•
The Active Directory agent uses on-demand mode when it communicates with the Web Security
appliance.
appliance.
•
The Active Directory agent pushes user log-out information to the Web Security appliance.
Occasionally, some user log-out information is not recorded in the Active Directory security logs.
This can happen if the client machine crashes, or if the user shuts down the machine without logging
out. If there is no user log-out information in the security logs, an Active Directory agent cannot
inform the appliance that the IP address no longer is assigned to that user. To obviate this possibility,
you can define how long AsyncOS caches the IP-address-to-user mappings when there are no
updates from an Active Directory agent. For more information, see
Occasionally, some user log-out information is not recorded in the Active Directory security logs.
This can happen if the client machine crashes, or if the user shuts down the machine without logging
out. If there is no user log-out information in the security logs, an Active Directory agent cannot
inform the appliance that the IP address no longer is assigned to that user. To obviate this possibility,
you can define how long AsyncOS caches the IP-address-to-user mappings when there are no
updates from an Active Directory agent. For more information, see
.
•
The Active Directory agent records the
sAMAccountName
for each user logging in from a particular
IP address to ensure the user name is unique.
•
The client IP addresses that the client machines present to the Active Directory server and the Web
Security appliance must be the same.
Security appliance must be the same.
•
AsyncOS for Web searches only direct parent groups for a user. It does not search nested groups.
Setting Up an Active Directory Agent to Provide Information to the Web Security Appliance
Because AsyncOS for Web cannot obtain client IP addresses directly from Active Directory, it must
obtain IP-address-to-user-name mapping information from an Active Directory agent.
obtain IP-address-to-user-name mapping information from an Active Directory agent.
Install an Active Directory agent on a machine in the network that is accessible to the Web Security
appliance, and which can communicate with all visible Windows domain controllers. For best
performance, this agent should be physically as close as possible to the Web Security appliance. In
smaller network environments, you may want to install the Active Directory agent directly on the Active
Directory server.
appliance, and which can communicate with all visible Windows domain controllers. For best
performance, this agent should be physically as close as possible to the Web Security appliance. In
smaller network environments, you may want to install the Active Directory agent directly on the Active
Directory server.