CCIE Security V4 Technology Labs  Section 3:

Intrusion Prevention and Content Security


Active Directory Integration
Last updated: May 15, 2013

Task
Configure the WSA to talk to the AD server at 192.168.42.100.
The AD server has two groups that will be important to us in these labs: Contractors and
Employees.
Both of these groups have a corresponding user: contractor and employee, with the password
cisco123.

Configuration
WSA
To integrate the WSA with AD we need to Add a Realm under the Network>Authentication
section. Navigate there and click the Add Realm Button.

We're now adding an NTLM Authentication Realm. We need to provide the following values:
1. Name the Realm
2. Select NTML as the Authentication Protocol and Scheme
3. Define the IP of the AD Server
4. Define the AD domain, in this case INELAB.LOCAL
Once we supply these values we need to click the Join Domain button.

By clicking the Join Domain button we get a popover window where we can provide our
authentication credentials. These credentials have to be an account that has the rights to add
devices to the domain, because in this case we are adding the WSA as a computer on the domain.

If we successfully joined the domain we will see a success message showing that the computer
account wsa$ was created. There are a few things that can go wrong here, the primary issue is that
of time synchronization. If our time is off we may not be able to join the domain. For this reason it's
advised that you sync to a common NTP server in the domain.
After we join the domain we want to test the settings. This will perform a series of tests to verify that
we can talk to the domain properly, and it includes name resolution. In the lab environment the AD
server acts as DNS server as well. You can access and modify the DNS settings as you need.

And what we want to see if the test completing successfully as we do here. We can now click
submit to apply the configuration.
And we can verify the config prior to committing the changes.

We want to ensure that we get the message that the commit was successful.
Verification
The only verification during this task is when we tested after joining the domain. If that test
succeeded, no further verification is necessary at this point. In the next few labs, the users from the
AD server will be used, verifying the functionality of this configuration.