Introduction
This document describes how to bypass authentication for specific user agents on the Cisco Web Security Appliance (WSA), all AsyncOS Versions 7.x and later.
How do I bypass authentication for specific user agents?
You can bypass authentication for a particular application with its user agent. This is a two-step process.
- Determine the user agent string used by the application.
- For standard applications, you should be able to find the user agent string on these websites:
http://www.user-agents.org/
http://www.useragentstring.com/pages/useragentstring.php
http://www.infosyssec.com/infosyssec/security/useragentstrings.shtml
- You could also determine the user agent string from access logs on the appliance. Complete these steps:
- In the GUI, choose System Administration > Log Subscription > Access logs.
- Add %u in the Custom fields.
- Submit and commit the changes.
- Grep or tail the access logs based on the client IP address.
- The user agent string should be located at end of the access log line.
Example: In a Chrome browser, you could see the user agent string as Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.13 (KHTML, like Gecko) Chrome/0.X.Y.Z Safari/525.13.)
- Configure the WSA to bypass authentication for the user agent strings.
- Choose Web Security Manager > Identities. Click Add Identity.
- Name: User Agent AuthExempt Identity
- Insert Above: Set to order 1
- Define Members by Subnet: Blank (or You could also define an IP address range/subnet)
- Define Members by Authentication: No Authentication Required
- Advanced > User Agents: Click None Selected. Under Custom user Agents, specify the User Agent string.
- Choose Web Security Manager > Access Policies. Click Add Policy.
- Policy Name: Auth Exemption for User Agents
- Insert Above Policy: Set to Order 1
- Identity Policy: User Agent AuthExempt Identity
- Advanced : None
This configuration should exempt authentication for the specified user agents. The access policies will still filter (based on URL categories) and scan (McAfee, Webroot) traffic as per the access policy setup.