user authentication with wsa

Upload: lastmaster

Post on 11-Oct-2015

32 views

Category:

Documents


0 download

DESCRIPTION

For WSA

TRANSCRIPT

  • CCIE Security V4 Technology Labs Section 3:Intrusion Prevention and Content Security

    User Authentication with WSA

    Last updated: May 15, 2013

    Task

    In AD there are two groups of users, as shown in the table below.

    Configure WSA so that employees and contractors can access the categories referenced in the

    table.

    The user should be required to agree to an acceptable use policy before gaining access to the

    requested websites.

    Group Categories EUA

    Employees All Yes

    Contractors Business and Industry, Education Yes

    Configuration

    WSA

    First delete the previous identity and access policy. Go into the Access Policy page.

  • Delete the policy using the trash can icon.

    Now configure the End-User Notification capability. To do so, navigate to

    Security Services>End-User-Notification.

  • Edit the settings.

    Select the appropriate options. In this case we want to use the Cisco Logo and we want to require

    the user to click through an EUA. We don't need to make any other changes here so click submit.

  • Of course you must commit the changes.

    Now go modify the global identity under Web Security Manager>Identities.

  • Click the Global Identity Policy to make changes to it.

    Now you want to change the drop-down to reflect that we want to require authentication. The

    selection to be to Authenticate Users.

  • Once you select the Authenticate Users option as seen in the previous image, the page is then

    enabled for more configuration options as seen in the following image. The values of importance

    here are that we are looking at our AD1 server and under the Authenticate Surrogates section it is

    selected as IP address and that we apply the same surrogate settings to Explicit Forward

    Requests. Click Submit.

  • Commit the changes.

    Now create the access policies under Web Security Manager>Access Policies.

    Here we are adding a new access policy. Click the Add Policy button.

  • Name the policy, in this case we call it Employee Policy. Under identities and users make sure

    the radio button selects Selected Groups and Users and then click on the link that reads

    No groups entered.

    Now we see a list of the AD1 Realm. Find the employee group and add it to the authorized groups

    box by clicking the add button.

  • This places the group in the box seen on the right hand side. Selecting the group is not enough. It

    must appear on the right hand side before you submit.

  • And now we want to apply the URL categories. To do that you scroll down and click the

    None Selected link next to the URL Categories option.

    The easy way to apply all of the categories is by using the Select All link as seem below.

  • After you submit you can see all the URL categories applied to our access policy for employees.

    Now repeat these steps for the contractors. Add another Policy.

    Name the policy and Select the groups.

  • Here we have selected the contractor group from AD. In our lab environment there are two groups

    that are preconfigured, employees and contractors. For testing purposes you can create additional

    groups to test with. Here though, we only need the two. Select the contractors group and add it.

    After you submit, verify that the contractors group is listed under the Identities and Users section.

    Now modify the URL categories by selecting the None Selected link next to URL Categories.

  • Rather than selecting all categories the task is specific to the two categories, Business and

    Industry, and Education. Select the two categories as required by the task and submit.

    After submitting the policy configuration for the contractors we see the list of policies. Note that the

    Employee Policy shows 78 blocks and 1 Monitor under the URL Filtering heading of the table.

    Click on that link to modify and change the policy to Monitor all categories rather than block.

  • Do the same for the contractor policy.

    And when finished the policy should not show any Block actions.

  • And of course you must commit the changes.

    Verification

    To verify, browse to a site and authenticate as employee.

  • Agree to the acceptable use policy.

    Because it's a router, you are prompted to authenticate. This shows that you have successfully

    authenticated.

  • Clear the employee authentication on the WSA and perform these tasks again with the contractor

    account. You must do so from the command line of the WSA. First view the authcache to see the

    authenticated user, and then you will clear it.

  • wsa.inelab.local> authcache

    Choose the operation you want to perform:

    - FLUSHALL - Flush all entries from auth cache

    - FLUSHUSER - Flush specific user entry from auth cache

    - LIST - List all entries from auth cache

    - SEARCH - Search all entries from auth cache

    []> LIST

    List may print a lot of entries. Are you sure? [Y]>

    INELAB\employee@AD1

    1 entries in authentication cache

    Choose the operation you want to perform:

    - FLUSHALL - Flush all entries from auth cache

    - FLUSHUSER - Flush specific user entry from auth cache

    - LIST - List all entries from auth cache

    - SEARCH - Search all entries from auth cache

    []> FLUSHALL

    Are you sure that you want to flush all entries? [Y]>

    1 entries in authentication cache flushed

    Choose the operation you want to perform:

    - FLUSHALL - Flush all entries from auth cache

    - FLUSHUSER - Flush specific user entry from auth cache

    - LIST - List all entries from auth cache

    - SEARCH - Search all entries from auth cache

    []>

    Go back and try to browse with the contractor.

    First authenticate.

  • Next, accept the agreement.

    Finally, we see that this site is not allowed for contractors.

  • Even though you were not allowed access to the site, you still authenticated and can see this on

    the WSA CLI.

  • Choose the operation you want to perform:

    - FLUSHALL - Flush all entries from auth cache

    - FLUSHUSER - Flush specific user entry from auth cache

    - LIST - List all entries from auth cache

    - SEARCH - Search all entries from auth cache

    []> LIST

    List may print a lot of entries. Are you sure? [Y]>

    INELAB\contractor@AD1

    1 entries in authentication cache

    Choose the operation you want to perform:

    - FLUSHALL - Flush all entries from auth cache

    - FLUSHUSER - Flush specific user entry from auth cache

    - LIST - List all entries from auth cache

    - SEARCH - Search all entries from auth cache

    []> FLUSHALL

    Are you sure that you want to flush all entries? [Y]>

    1 entries in authentication cache flushed

    Choose the operation you want to perform:

    - FLUSHALL - Flush all entries from auth cache

    - FLUSHUSER - Flush specific user entry from auth cache

    - LIST - List all entries from auth cache

    - SEARCH - Search all entries from auth cache

    []>