Cisco WSA Authentication

In this and other posts we’ll discuss the Cisco Web Security Appliance. This is the blog agenda:

Part 1: Introduction
Part 2: Installing
Part 3: Deploying Proxy Services
Part 4: Policies
Part 5: Acceptable use & HTTPS Inspection
Part 6: Authentication
Part 7: Defending malware

This is the 6th part of the series.

A proxy is no real proxy without user authentication. That’s what I’m going to discuss in this post. Authentication is needed for logging and user tracking.

Authentication options:

  • Basic (local accounts)
  • NTLMSSP (for Microsoft Active Directory)

In explicit forwarding mode you can use straightforward proxy authentication. In transparant mode you have to fool the WSA.

In case all authentication services are unavailable, you can choose to permit or block all traffic. You can find this setting in Network > Authentication, click Edit Global Settings.

NTLM Authentication

Click Network > Authentication > Add Realm. You can configure one realm per authentication domain and only one NTLM domain. A realm sequence in an ordered sequence or realms and is automatically added when you add a second realm.

When you add a NTML Realm for active directory, you can configure max three domain controller IP addresses. These IP’s are only used for failover. You have to add a domain user account with rights to add a computer in the domain. The WSA will join the active directory domain.

Important note: make sure the system time is correct, configure a working NTP server before you join the active directory!

add realm 1

The LDAP configuration is almost identical to the Active Directory configuration. 

Click Network > Authentication > Add Realm to add the correct user authentication for your Active Directory structure. Check your Active Directory admin for the correct string you have to use.

add realm 2

Click Start Test to test the connection.