How Do I Create Access Policy Groups that Match Active Directory Groups?

Available Languages

Updated:July 18, 2014
Document ID:118005

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Contents

Question

Question

How do I create Access Policy Groups that match Active Directory (AD) Groups?

The first step is to configure an authentication realm (NT LAN Manager (NTLM) realm) and an Identity which uses the authentication realm.

-------------------------------------------------------------------------------------

  1. Create an NTLM realm on the Web Security Appliance (WSA) under Network > Authentication.
  2. Once you have your NTLM realm configured, choose Web Security Manager > Identities, then click Add Identity.
  3. Follow these steps to create an identity:
    1. Name: Auth.Id
    2. Insert Above: 1
    3. Define Members by Authentication: <NTLM realm name>
    4. Scheme: Use Basic or NTLMSSP or Use NTLMSSP
    5. Leave all other settings as default.
      If you want to test authentication against selected clients, use Define Members By Subnet and specify the IP of the requesting client. This allows the WSA to request authentication for these selected clients only.
    6. Click Submit.

At this point you should only have two identities, Auth.Id and Global Identity Policy, with authentication enabled on Auth.Id Identity.

The next step is to use the Auth.Id Identity and create access policies based on this Identity. You can specify required AD groups or users in the access policies.
-------------------------------------------------------------------------------------

  1. Choose GUI > Web Security Manager > Access Policies.
  2. Click Add Policy.
  3. Follow these steps to create an Access policy:
    1. Policy Name: Sales.Policy
    2. Insert Above Policy: 1
    3. Identity Policy: Auth.Id - Specifiy authorized groups and users
    4. Enter the group names manually, or click Refresh Directory to get the list of users that exist on your AD. Once you have selected the users, click Add.
    5. Click Submit when done.

If you need to create another access policy, click Add Policy and create another access policy for the new AD group.

You should not create new identities for the same authentication realm. Reuse the existing identity (Auth.Id) and create new access policies for different AD groups, as long as the identity is not bound to Proxy Ports, URL Categories, User Agents, or Define Members by Subnet.

For multiple access policies using different AD groups, the setup should look like this:
-------------------------------------------------------------------------------------

Identity

"Auth.Id"
"Global Identity Policy"

Access Policy

"Sales.Policy" using "Auth.Id"
"Support.Policy" using "Auth.Id"
"Manager.Policy" using "Auth.Id"
"Admin.Policy" using "Auth.Id"
"Global Policy" using "All"

Revision History

Revision Publish Date Comments
1.0
18-Jul-2014
Initial Release
TAC Authored

Contributed by Cisco Engineers

  • Kei Ozaki and Siddharth Rajpathak
    Cisco TAC Engineers.

Was this Document Helpful?

FeedbackFeedback

Contact Cisco

This Document Applies to These Products