Web Security Appliance (WSA) offers the ability to grant limited access to users who fail authentication due to invalid credentials.
Note: Blog is best viewed w/ Google Chrome.
By default, when a client fails authentication, the Web Proxy continually requests valid credentials, essentially blocking access to all resources. In order to change it, some modifications to the proxy policies are needed so when a client passes incorrect credentials for the first time, the user will be treated as a guest and the device will not prompt for another authentication. Examples of when this feature can be useful are listed below :
- Temporary access for visitors & contractors
- Access for visiting employees, coming from other branch locations, when separate databases are used in the HQ and other offices
- Temporary access for new hires (until they are finally added to the AD)
The configuration of Guest Access on the WSA can be summarized as follows :
- An Identity must be defined that requires authentication but also allows Guest Privileges
- A Policy Rule must be created where support for Guest Access is enabled
- The above Policy Rule should use the Guest-enabled Identity as a condition – otherwise a Global Rule may be matched for the transaction (depends on the WSA code version)
Before we get to the configuration of Guest Access I want to show you what happens when someone fails authentication and the feature is not enabled :
Let’s try to get to www.cnn.com and observe the logs :
1414254855.077 2 192.168.20.200 TCP_DENIED/407 1763 GET http://www.cnn.com/ – NONE/- – OTHER-NONE-DefaultGroup-NONE-NONE-NONE-NONE <IW_news,6.9,”1″,”-”,-,-,-,”-”,”-”,-,-,-,”-”,”-”,-,”-”,”-”,-,-,IW_news,-,”-”,”-”,”Unknown”,”Unknown”,”-”,”-”,7052.00,0,-,”-”,”-”> -
As you can see from the above, the transaction was denied – actually all traffic coming from the user’s PC going through the proxy is now blocked until the user successfully authenticates.
In our case I am going to assume that VLAN 20 is a network segment dedicated for guest access. To start our configuration I will create an Identity that will catch all transactions coming from this network (192.168.20.0/24). What’s important to remember here is that the “Support Guest privileges” option should be checked to tell the proxy that all connections caught by this Identity are candidates for Guest Access :
So this is what we have under Identities :
Next thing we want to do is to create an Access Policy rule. Two key things to remember about are : one is to select our Guest Identity as one of the Policy conditions (in our case it will be the only condition) and two is to enable Guest Access by selecting “Guests (users failing authentication)” checkbox. Note that this option only becomes available when there is at least one Identity defined with “Support for Guest Privileges” enabled :
Image 4
Now a simple change under URL Filtering within this rule to unblock traffic going to all webpages categorized as “News” :
Image 5
And there we go :
Looks good – time to test our configuration :
1414255770.906 128 192.168.20.200 TCP_REFRESH_HIT/200 417 GET http://www.cnn.com/ “(Unauthenticated)192.168.20.200″ DIRECT/www.cnn.com text/html ALLOW_WBRS_11-GUESTSPOL-GUESTID-NONE-NONE-NONE-DefaultGroup <IW_news,6.9,”1″,”-”,-,-,-,”1″,”-”,-,-,-,”-”,”1″,-,”-”,”-”,-,-,IW_news,-,”-”,”-”,”Unknown”,”Unknown”,”-”,”-”,26.06,0,-,”-”,”-”> -
All good!
Also note that when the Web Proxy grants a user guest access, it identifies and logs the user as a guest in the access logs. You can specify whether the Web Proxy identifies the user by IP address (default) or user name :
Here is a sample log message generated by the proxy with user-based logging enabled :
1414257443.357 123 192.168.20.200 TCP_REFRESH_HIT/200 417 GET http://www.cnn.com/ “(Unauthenticated)Student” DIRECT/www.cnn.com text/html ALLOW_WBRS_11-GUESTSPOL-GUESTID-NONE-NONE-NONE-DefaultGroup <IW_news,6.9,”1″,”-”,-,-,-,”1″,”-”,-,-,-,”-”,”1″,-,”-”,”-”,-,-,IW_news,-,”-”,”-”,”Unknown”,”Unknown”,”-”,”-”,27.12,0,-,”-”,”-”> -
As you can see from this article, Guest Access can be easily enabled on the WSA whenever you want to provide some limited access to certain users. And what is nice about that feature is that once enabled, there is no need for the administrator to communicate the guest credentials to any visitor.
- Piotr
