Desktop Authority Essentials
Cisco CDA (Context Directory Assistant) is a virtual appliance that reads logs from our domain controllers and creates a mapping of user name to IP address. This data can in turn be supplied to Cisco webfilters and firewalls to create user based policy access.
For the most part this works great, but sometimes people are randomly detected as 'scriptlogicuser' instead of their actual user name. I had a marketing person submit a ticket today because they are blocked from YouTube (normally people are, but Marketing is not as they handle our social media). Upon investigation her IP address was marked down as 'scriptlogicuser'.
Any way we can avoid this with Desktop Authority?
The service account scriptlogicuser is obviously not the interactive logged on user. It is a service account and therefore should not be detected as the interactive logged on user by the Cisco application. The Cisco application should be filtering for a specific logon type 2 which will distinguish it from the various other logon types. You can use WMI to independently query for the interactive logged on user by entering the following at a command prompt: WMIC /Node:computername ComputerSystem Get UserName. I would recommend that you contact the vendor and ask them if there is a method to instruct the application to ignore that service account or to filter on the appropriate specific logon type.
Thank you for your assistance. It turns out the Cisco appliance has a filter capability to filter out specific accounts from being recorded to the user id to ip address mapping (such as service accounts and also in this case scriptlogicuser).
After applying this filter, everything is working normally again.
Thank you for your help. Your information did help piece together how things work.
CDA is a little finicky... Took us a while to figure out we could exclude service accounts. Also note, if you have a non-persistent VDI environment for use w/ CDA/FW filtering, the user may want to reboot or relogin more than 8 times in 24 hours... CDA has a 8 IP to 1 ID mapping. If your user group or help desk instructions the user to reboot a bunch of times you are going to have issues that requires someone to clear the cached mappings. Overall a really good solution for dynamic FW IP user mappings instead of moving to something much more involved like ISE.
P.S. - You can also exclude subnets from the WMI scrub process. So you can ignore other DHCP scopes that may not be part of client subnets that you are filtering or protecting, yet for some reason they may still authenticate against the AD controllers that you are monitoring w/ CDA.