Introduction
This document describes how to bypass authentication for specific user agents on the Cisco Web Security Appliance (WSA), all AsyncOS Versions 7.x and later.
How do I bypass authentication for specific user agents?
You can bypass authentication for a particular application with its user agent. This is a two-step process.
- Determine the user agent string used by the application.
- For standard applications, you can find the user agent string on these websites:
http://www.user-agents.org/
http://www.useragentstring.com/pages/useragentstring.php
http://www.infosyssec.com/infosyssec/security/useragentstrings.shtml
- You could also determine the user agent string from access logs on the appliance. Complete these steps:
- In the GUI, choose System Administration > Log Subscription > Access logs.
- Add %u in the Custom fields.
- Submit and commit the changes.
- Grep or tail the access logs based on the client IP address.
- The user agent string can be located at end of the access log line.
Example: In a Chrome browser, you could see the user agent string as Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.13 (KHTML, like Gecko) Chrome/0.X.Y.Z Safari/525.13.)
- Configure the WSA to bypass authentication for the user agent strings.
- Choose Web Security Manager > Identities. Click Add Identity.
- Name: User Agent AuthExempt Identity
- Insert Above: Set to order 1
- Define Members by Subnet: Blank (or You could also define an IP address range/subnet)
- Define Members by Authentication: No Authentication Required
- Advanced > User Agents: Click None Selected. Under Custom user Agents, specify the User Agent string.
- Choose Web Security Manager > Access Policies. Click Add Policy.
- Policy Name: Auth Exemption for User Agents
- Insert Above Policy: Set to Order 1
- Identity Policy: User Agent AuthExempt Identity
- Advanced : None
This configuration exempts authentication for the specified user agents. The access policies still filter (based on URL categories) and scan (McAfee, Webroot) traffic as per the access policy setup.