Cisco Cisco Web Security Appliance S390 Betriebsanweisung
Chapter 7 Identities
Allowing Guest Access to Users Who Fail Authentication
7-14
Cisco IronPort AsyncOS 7.0 for Web User Guide
OL-23079-01
A user who fails authentication has transactions allowed when all of the following
conditions are true:
conditions are true:
•
The user matches an Identity with guest privileges.
•
A non-Identity policy group uses that Identity and applies to guest users.
For example, you can create an Access or Decryption Policy that is specific to
guest users.
guest users.
Note
If an Identity allows guest access and there is no user defined policy group that
uses that Identity, users who fail authentication match the global policy for that
policy type. For example, if MyIdentity allows guest access and there is no user
defined Access Policy that uses MyIdentity, users who fail authentication match
the global Access Policy. If you do not want guest users to match a global policy,
create a policy group above the global policy that applies to guest users and blocks
all access.
uses that Identity, users who fail authentication match the global policy for that
policy type. For example, if MyIdentity allows guest access and there is no user
defined Access Policy that uses MyIdentity, users who fail authentication match
the global Access Policy. If you do not want guest users to match a global policy,
create a policy group above the global policy that applies to guest users and blocks
all access.
When the Web Proxy grants a user guest access, it identifies and logs the user as
a guest in the access logs. You can specify whether the Web Proxy identifies the
user by IP address or user name. In the access logs, reports, and end-user
acknowledgement page, entries for guest users have one of the following formats:
a guest in the access logs. You can specify whether the Web Proxy identifies the
user by IP address or user name. In the access logs, reports, and end-user
acknowledgement page, entries for guest users have one of the following formats:
•
(unauthenticated)IP_address
•
(unauthenticated)username_entered
You can enable guest access for an Identity that uses any authentication protocol
or scheme.
or scheme.
To grant guest access to a user:
Step 1
Define an Identity group and enable the Support Guest privileges option.