Sam, That Part I understand. The problem is that the task says, unauthenticated users should be able to access ipexpert from 10 to 4 pm. So here is what I did:
Created the identity with the guest privileges for non authenticated users, put it right above the global policy That means that if: Authentication fails And The source Address is x.x.x.x And the time is between 10 to 4 Then to allow ipexpert.com and block everything else. However, when they create the Policy, they dont add the identity, the example just adds authenticated users and not authenticated users which I dont think fulfills the task needs. Let me know. Mike Date: Thu, 20 Jun 2013 08:02:19 +0530 Subject: Re: [OSL | CCIE_Security] WSA Research Host NoAuth Policy From: [email protected] To: [email protected]; [email protected] Hi Mike, The identity policy tells is a user will be authenticated or not. If in the global policy you specify all to be authenticated, then everyone should undergo authentication unless specific rules above the global id policy bypass the auth. Once that being done, we now have the user info. This can be used in the access policy group membership and apply specific AUP's. The default access global policy tries to match all the rules in the identity policy. Hence if you have auth enabled in the default identity policy then global ap policy matches it. Remember access and identity policies are interlinked and dependent. SamSent from Samsung Mobile -------- Original message -------- From: Mike Rojas <[email protected]> Date: 20/06/2013 06:59 (GMT+05:30) To: [email protected] Subject: [OSL | CCIE_Security] WSA Research Host NoAuth Policy Hi; I am doing the policy where the not authenticated user can access the internet from an specific time-range defined. I can see that on the DSG the Time-range is defined. Then, the policy is created, but I dont see the identity being used anywhere.... What I did was to create the identity and on the policy, when they said identity to use, I selected the One that I created then on advanced, I selected my time-range, instead on the DSG they select all, authenticated and not authenticated users. Any thoughts? Mike Rojas Security Technical Lead
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
