How do I bypass authentication for specific user agents?

Available Languages

Download Options

  • PDF     (4.8 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (81.3 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (66.3 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:March 5, 2021
Document ID:118054

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes how to bypass authentication for specific user agents on the Cisco Web Security Appliance (WSA), all AsyncOS Versions 7.x and later.

    How do I bypass authentication for specific user agents?

    You can bypass authentication for a particular application with its user agent. This is a two-step process.

    1. Determine the user agent string used by the application.
      1. For standard applications, you should be able to find the user agent string on these websites:
        http://www.user-agents.org/
        http://www.useragentstring.com/pages/useragentstring.php
        http://www.infosyssec.com/infosyssec/security/useragentstrings.shtml
      2. You could also determine the user agent string from access logs on the appliance. Complete these steps:
        1. In the GUI, choose System Administration > Log Subscription > Access logs.
        2. Add %u in the Custom fields.
        3. Submit and commit the changes.
        4. Grep or tail the access logs based on the client IP address.
        5. The user agent string should be located at end of the access log line.
          Example: In a Chrome browser, you could see the user agent string as Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.13 (KHTML, like Gecko) Chrome/0.X.Y.Z Safari/525.13.)
    2. Configure the WSA to bypass authentication for the user agent strings.
      1. Choose Web Security Manager > Identities. Click Add Identity.
        • Name: User Agent AuthExempt Identity
        • Insert Above: Set to order 1
        • Define Members by Subnet: Blank (or You could also define an IP address range/subnet)
        • Define Members by Authentication: No Authentication Required
        • Advanced > User Agents: Click None Selected. Under Custom user Agents, specify the User Agent string.
      2. Choose Web Security Manager > Access Policies. Click Add Policy.
        • Policy Name: Auth Exemption for User Agents
        • Insert Above Policy: Set to Order 1
        • Identity Policy: User Agent AuthExempt Identity
        • Advanced : None

    This configuration should exempt authentication for the specified user agents. The access policies will still filter (based on URL categories) and scan (McAfee, Webroot) traffic as per the access policy setup.

    Revision History

    Revision Publish Date Comments
    1.0
    22-Jul-2014
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Josh Wolfer
      Cisco TAC Engineer
    • Siddharth Rajpathak
      Cisco TAC Engineer

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products