Cisco Cisco Web Security Appliance S670 Guía Para Resolver Problemas
workstation name.
With the workstation name not being member of any AD group, requests may not trigger the expected Access
Policy and thus be blocked. The problem persists until the surrogate has timed out and the authentication has
to be renewed. This time, with an actual user logged in and valid user credentials available, a new IP
Surrogate will be created with this information and further requests will match the expected Access Policy.
Policy and thus be blocked. The problem persists until the surrogate has timed out and the authentication has
to be renewed. This time, with an actual user logged in and valid user credentials available, a new IP
Surrogate will be created with this information and further requests will match the expected Access Policy.
Another scenario seen is when applications send invalid credentials (NULL username and NULL domain) and
NOT valid machine credentials. This is considered an authentication failure and will be blocked or if guest
policies are enabled, the failed auth is considered as a "guest".
NOT valid machine credentials. This is considered an authentication failure and will be blocked or if guest
policies are enabled, the failed auth is considered as a "guest".
The workstation name ends with a $ followed by @DOMAIN which makes workstation names easy to trace
by using the CLI command grep on the accesslogs for $@. See the example below for clarification.
by using the CLI command grep on the accesslogs for $@. See the example below for clarification.
> grep $@ accesslogs
1332164800.0000 9 10.20.30.40 TCP_DENIED/403 5608 GET http://www.someURL.com
"gb0000d01$@DOMAIN" NONE/− − BLOCK_WEBCAT_11−DefaultGroup−Internet−NONE−NONE−
NONE−NONE <−,−,"−","−",−,−,−,"−","−",−,−,"−",−,"−","−",−,"−","−","−","−","−","−",
0.00,0,−,"−","−"> −
The line above shows an example of an IP Surrogate already having been created for the IP address
10.20.30.40 and the machine name gb0000d01
10.20.30.40 and the machine name gb0000d01
$.
In order to find the request that sent the machine name, the first occurrence of the workstation name for the
specific IP address have to be identified. The following CLI command accomplishes this:
specific IP address have to be identified. The following CLI command accomplishes this:
> grep 10.20.30.40 −p accesslogs
Search the result for the first occurrence of the workstation name. The three first requests are commonly
recognized as a NTLM Single−Sin−On (NTLMSSP/NTLMSSP) handshake as described here and shown in
the example below:
recognized as a NTLM Single−Sin−On (NTLMSSP/NTLMSSP) handshake as described here and shown in
the example below:
1335248044.836 0 10.20.30.40 TCP_DENIED/407 1733 GET http://SomeOtherURL.com −
NONE/− − OTHER−NONE−DefaultGroup−NONE−NONE−NONE−NONE
<−,−,"−","−",−,−,−,"−","−",−,−,"−",−,"−","−",−,"−","−","−","−","−","−",
0.00,0,−,"−","−"> −
1335248044.839 0 10.20.30.40 TCP_DENIED/407 483 GET http://SomeOtherURL.com −
NONE/− − OTHER−NONE−DefaultGroup−NONE−NONE−NONE−NONE
<−,−,"−","−",−,−,−,"−","−",−,−,"−",−,"−","−",−,"−","−","−","−","−","−",
0.00,0,−,"−","−"> −
1335248044.845 10 10.20.30.40 TCP_DENIED/403 2357 GET http://SomeOtherURL.com
"gb0000d01$@DOMAIN" NONE/− − BLOCK_ADMIN_PROTOCOL_11−DefaultGroup−DefaultGroup−
DefaultGroup−NONE−NONE−NONE
<−,−,"−","−",−,−,−,"−","−",−,−,"−",−,"−","−",−,"−","−","−","−","−","−",
0.00,0,−,"−","−"> −
When troubleshooting, ensure that these thee requests are for the same URL and are logged in a very short
time interval indicatiting that it is an automated NTLMSSP handshake.
time interval indicatiting that it is an automated NTLMSSP handshake.
In the example above, the preceding requests are logged with the HTTP response code 407 (Proxy
Authentication required) for explicit requests, while transparent requests would be logged with HTTP
response code 401 (Unauthenticated).
Authentication required) for explicit requests, while transparent requests would be logged with HTTP
response code 401 (Unauthenticated).
There is a new feature available on AsyncOS 7.5.0 and higher where you can define a different surrogate
timeout for machine credentials. It can be configured using the following command:
timeout for machine credentials. It can be configured using the following command: