Scribd Logo
Carica

Benvenuto in Scribd!

  • User Authentication With WSA

    Caricato da

    lastmaster
    98 visualizzazioni21 pagine
    For WSA

    Copyright

    © © All Rights Reserved

    Formati disponibili

    PDF, TXT o leggi online da Scribd

    Hai trovato utile questo documento?

    Questo contenuto è inappropriato?

    Segnala questo documento
    For WSA

    Copyright:

    © All Rights Reserved
    Scarica in formato PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    98 visualizzazioni21 pagine

    User Authentication With WSA

    Caricato da

    lastmaster
    For WSA

    Copyright:

    © All Rights Reserved
    Scarica in formato PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    di 21

    CCIE Security V4 Technology Labs Section 3:

    Intrusion Prevention and Content Security


    User Authentication with WSA
    Last updated: May 15, 2013
    Task
    In AD there are two groups of users, as shown in the table below.
    Configure WSA so that employees and contractors can access the categories referenced in the
    table.
    The user should be required to agree to an acceptable use policy before gaining access to the
    requested websites.
    Group Categories EUA
    Employees All Yes
    Contractors Business and Industry, Education Yes
    Configuration
    WSA
    First delete the previous identity and access policy. Go into the Access Policy page.

    Delete the policy using the trash can icon.


    Now configure the End-User Notification capability. To do so, navigate to
    Security Services>End-User-Notification .
    Edit the settings.
    Select the appropriate options. In this case we want to use the Cisco Logo and we want to require
    the user to click through an EUA. We don't need to make any other changes here so click submit.
    Of course you must commit the changes.
    Now go modify the global identity under Web Security Manager>Identities .
    Click the Global Identity Policy to make changes to it.
    Now you want to change the drop-down to reflect that we want to require authentication. The
    selection to be to Authenticate Users.
    Once you select the Authenticate Users option as seen in the previous image, the page is then
    enabled for more configuration options as seen in the following image. The values of importance
    here are that we are looking at our AD1 server and under the Authenticate Surrogates section it is
    selected as IP address and that we apply the same surrogate settings to Explicit Forward
    Requests. Click Submit.
    Commit the changes.
    Now create the access policies under Web Security Manager>Access Policies .
    Here we are adding a new access policy. Click the Add Policy button.
    Name the policy, in this case we call it Employee Policy . Under identities and users make sure
    the radio button selects Selected Groups and Users and then click on the link that reads
    No groups entered .
    Now we see a list of the AD1 Realm. Find the employee group and add it to the authorized groups
    box by clicking the add button.
    This places the group in the box seen on the right hand side. Selecting the group is not enough. It
    must appear on the right hand side before you submit.
    And now we want to apply the URL categories. To do that you scroll down and click the
    None Selected link next to the URL Categories option.
    The easy way to apply all of the categories is by using the Select All link as seem below.
    After you submit you can see all the URL categories applied to our access policy for employees.
    Now repeat these steps for the contractors. Add another Policy.
    Name the policy and Select the groups.
    Here we have selected the contractor group from AD. In our lab environment there are two groups
    that are preconfigured, employees and contractors. For testing purposes you can create additional
    groups to test with. Here though, we only need the two. Select the contractors group and add it.
    After you submit, verify that the contractors group is listed under the Identities and Users section.
    Now modify the URL categories by selecting the None Selected link next to URL Categories.
    Rather than selecting all categories the task is specific to the two categories, Business and
    Industry, and Education. Select the two categories as required by the task and submit.
    After submitting the policy configuration for the contractors we see the list of policies. Note that the
    Employee Policy shows 78 blocks and 1 Monitor under the URL Filtering heading of the table.
    Click on that link to modify and change the policy to Monitor all categories rather than block.
    Do the same for the contractor policy.
    And when finished the policy should not show any Block actions.
    And of course you must commit the changes.
    Verification
    To verify, browse to a site and authenticate as employee.
    Agree to the acceptable use policy.
    Because it's a router, you are prompted to authenticate. This shows that you have successfully
    authenticated.
    Clear the employee authentication on the WSA and perform these tasks again with the contractor
    account. You must do so from the command line of the WSA. First view the authcache to see the
    authenticated user, and then you will clear it.
    wsa.inelab.local> authcache
    Choose the operation you want to perform:
    - FLUSHALL - Flush all entries from auth cache
    - FLUSHUSER - Flush specific user entry from auth cache
    - LIST - List all entries from auth cache
    - SEARCH - Search all entries from auth cache
    []> LIST
    List may print a lot of entries. Are you sure? [Y]>
    INELAB\employee@AD1
    1 entries in authentication cache
    Choose the operation you want to perform:
    - FLUSHALL - Flush all entries from auth cache
    - FLUSHUSER - Flush specific user entry from auth cache
    - LIST - List all entries from auth cache
    - SEARCH - Search all entries from auth cache
    []> FLUSHALL
    Are you sure that you want to flush all entries? [Y]>
    1 entries in authentication cache flushed
    Choose the operation you want to perform:
    - FLUSHALL - Flush all entries from auth cache
    - FLUSHUSER - Flush specific user entry from auth cache
    - LIST - List all entries from auth cache
    - SEARCH - Search all entries from auth cache
    []>
    Go back and try to browse with the contractor.
    First authenticate.
    Next, accept the agreement.
    Finally, we see that this site is not allowed for contractors.
    Even though you were not allowed access to the site, you still authenticated and can see this on
    the WSA CLI.
    Choose the operation you want to perform:
    - FLUSHALL - Flush all entries from auth cache
    - FLUSHUSER - Flush specific user entry from auth cache
    - LIST - List all entries from auth cache
    - SEARCH - Search all entries from auth cache
    []> LIST
    List may print a lot of entries. Are you sure? [Y]>
    INELAB\contractor@AD1
    1 entries in authentication cache
    Choose the operation you want to perform:
    - FLUSHALL - Flush all entries from auth cache
    - FLUSHUSER - Flush specific user entry from auth cache
    - LIST - List all entries from auth cache
    - SEARCH - Search all entries from auth cache
    []> FLUSHALL
    Are you sure that you want to flush all entries? [Y]>
    1 entries in authentication cache flushed
    Choose the operation you want to perform:
    - FLUSHALL - Flush all entries from auth cache
    - FLUSHUSER - Flush specific user entry from auth cache
    - LIST - List all entries from auth cache
    - SEARCH - Search all entries from auth cache
    []>

    Potrebbero piacerti anche