Cisco Cisco Web Security Appliance S670 Informationshandbuch

Contributed by Kei Ozaki and Siddharth Rajpathak, Cisco TAC
Engineers.

Jul 17, 2014

What are Identities, and how do they relate to Access Policies?

AsyncOS for Web 5.6 and newer.

Identities are configured on the Cisco Web Security Appliance (WSA) in Web GUI under the 'Web Security
Manager' tab.

An Identity is basically a policy that determines how a user should be authenticated and it can match on many
different attributes. This gives us much greater flexibility with authentication as a whole.

For instance, it is now possible to create an Identity which matches based on specific user agent/s, and
then we can set this identity to not require authentication. This allows us to exempt only specific
applications from authentication, which can be very useful in certain circumstances.

• 

To use Identities correctly, it is important to understand how they are processed. When a client request is
received by the appliance, it will first try to match an Identity from the list, in a top −−> down fashion, and
first match wins. This is similar to how Web Access Policies work.

Once the Identity has been matched, the appliance will check the Access Policies list, checking all the policies
in top −> down fashion, looking for a match. It is important to note that the Access Policies can each be
configured to match only a specific identity or they can also be set to match All Identities.

Note: If the access policy specifies a single identity, and this identity is not the identity matched by the client,
then the access policy will be skipped.