WSA identity and authentication can be done either directly, with WSA talking directly to either Active Directory or LDAP, or transparently.
Explicit Forwarding
When configuring identity, the first screen on the GUI is under Web Security Manager -> Identification Profiles.
By default nothing has been configured. An identification profile must be created to utilize this feature.
When clicking on the "Add Identification Profile" button, the default screen looks like this:
Lots of errors there, but gives a good idea of the various checks performed.
Explicit Forwarding
When configuring identity, the first screen on the GUI is under Web Security Manager -> Identification Profiles.
When clicking on the "Add Identification Profile" button, the default screen looks like this:
By default a name can be given and members defined, as well as proxy ports, user agents, and URL categories (in the advanced section). No user identification method exists by default. This is where to go to configure direct user access identification (Active Directory / LDAP will be queried by the WSA device).
Navigating to Network -> Authentication takes us to the screen where AD/LDAP can be defined.
Adding a realm:
Give the realm a name, make sure to add the active directory server(s) (or LDAP), the domain, and click the join domain button to put in user credentials to join the domain. Since this is a realm using Explicit Forwarding, that's all the configuration needed. Press the "start test" button to verify configuration. Since I used bogus credentials, my test results looked like this:
Checking DNS resolution of WSA hostname(s)...
Failure: Unable to resolve 'wsa.milbur.local' :
Unknown hostname
Checking DNS resolution of Active Directory Server(s)...
Failure: Unable to resolve 'ad1.test.local' :
Unknown hostname
Failure: Unable to resolve 'ad2.test.local' :
Unknown hostname
Checking DNS resolution of AD Server(s)' full computer name(s)...
Failure: Unable to resolve 'ad1.test.local' :
Unknown hostname
Failure: Unable to resolve 'ad2.test.local' :
Unknown hostname
Validating configured Active Directory Domain...
Failure: Unable to resolve 'ad1.test.local' :
Unknown hostname
Failure: Unable to resolve 'ad2.test.local' :
Unknown hostname
Attempting to get TGT...
Failure: Error while fetching Kerberos Tickets from server 'ad1.test.local' :
kinit: krb5_get_init_creds: unable to reach any KDC in realm TEST.LOCAL
Failure: Error while fetching Kerberos Tickets from server 'ad2.test.local' :
kinit: krb5_get_init_creds: unable to reach any KDC in realm TEST.LOCAL
Checking local WSA time and server time difference...
Warning: Cannot check system time on AD server 'ad1.test.local'
Warning: Cannot check system time on AD server 'ad2.test.local'
Attempting to fetch AD group information...
Failure: Unable to resolve 'ad1.test.local' :
Unknown hostname
Failure: Unable to resolve 'ad2.test.local' :
Unknown hostname
Test completed: Errors occurred, see details above.
Failure: Unable to resolve 'wsa.milbur.local' :
Unknown hostname
Checking DNS resolution of Active Directory Server(s)...
Failure: Unable to resolve 'ad1.test.local' :
Unknown hostname
Failure: Unable to resolve 'ad2.test.local' :
Unknown hostname
Checking DNS resolution of AD Server(s)' full computer name(s)...
Failure: Unable to resolve 'ad1.test.local' :
Unknown hostname
Failure: Unable to resolve 'ad2.test.local' :
Unknown hostname
Validating configured Active Directory Domain...
Failure: Unable to resolve 'ad1.test.local' :
Unknown hostname
Failure: Unable to resolve 'ad2.test.local' :
Unknown hostname
Attempting to get TGT...
Failure: Error while fetching Kerberos Tickets from server 'ad1.test.local' :
kinit: krb5_get_init_creds: unable to reach any KDC in realm TEST.LOCAL
Failure: Error while fetching Kerberos Tickets from server 'ad2.test.local' :
kinit: krb5_get_init_creds: unable to reach any KDC in realm TEST.LOCAL
Checking local WSA time and server time difference...
Warning: Cannot check system time on AD server 'ad1.test.local'
Warning: Cannot check system time on AD server 'ad2.test.local'
Attempting to fetch AD group information...
Failure: Unable to resolve 'ad1.test.local' :
Unknown hostname
Failure: Unable to resolve 'ad2.test.local' :
Unknown hostname
Test completed: Errors occurred, see details above.
No comments:
Post a Comment