Cisco Cisco Web Security Appliance S670 Betriebsanweisung
E N H A N C E D : A U T H E N T I C A T I O N
C H A P T E R 1 : G E T T I N G S T A R T E D W I T H T H E W E B S E C U R I T Y A P P L I A N C E
5
Guest Access (Failed Authentication)
Sometimes, users do not have an account in an organization's user directory. Examples of
such users include visitors, contractors, interns, and students pursuing a short course.
AsyncOS for Web 6.0 allows you to define policies for these users who fail authentication due
to invalid credentials. Users who fail authentication and are granted access are logged in as
guests, and their activities are logged by user name (as entered by the user) or IP address.
such users include visitors, contractors, interns, and students pursuing a short course.
AsyncOS for Web 6.0 allows you to define policies for these users who fail authentication due
to invalid credentials. Users who fail authentication and are granted access are logged in as
guests, and their activities are logged by user name (as entered by the user) or IP address.
To grant guest access to users who fail authentication, you create an Identity that requires
authentication, but also allows guest privileges. Then you create another policy using that
Identity and apply that policy to the guest users. When users have guest access, they can
access the resources defined in the policy group that specifies guest access for that Identity.
Typically, guest policies allow for limited access to web resources.
authentication, but also allows guest privileges. Then you create another policy using that
Identity and apply that policy to the guest users. When users have guest access, they can
access the resources defined in the policy group that specifies guest access for that Identity.
Typically, guest policies allow for limited access to web resources.
For more information, see “Allowing Guest Access to Users Who Fail Authentication” on
page 135.
page 135.
NTLM Authentication Caching
In previous versions, when the Web Security appliance used cookie-based NTLMSSP
authentication, users were authenticated against the Active Directory server every time they
made a request to a new domain. Now in AsyncOS for Web 6.0, the Web Security appliance
uses authentication caching to reduce the load on the Active Directory server. It does this by
adding a master cookie to the request when the user is authenticated for the first time.
Subsequent requests get authenticated by validating the cookie, and frequent requests to the
Active Directory server are avoided, improving overall authentication performance.
authentication, users were authenticated against the Active Directory server every time they
made a request to a new domain. Now in AsyncOS for Web 6.0, the Web Security appliance
uses authentication caching to reduce the load on the Active Directory server. It does this by
adding a master cookie to the request when the user is authenticated for the first time.
Subsequent requests get authenticated by validating the cookie, and frequent requests to the
Active Directory server are avoided, improving overall authentication performance.
Active Directory 2008 Support
AsyncOS for Web 6.0 supports Active Directory 2008, without requiring an older version of
Active Directory in the network.
Active Directory in the network.
Surrogates in Explicit Forward Mode
In previous versions, you could configure authentication surrogates for caching
authentication credentials in transparent mode or when secure client authentication (now
known as credential encryption) was enabled. Authentication surrogates allow you to
associate transactions with a user either by IP address or cookie after the user has
authenticated successfully.
authentication credentials in transparent mode or when secure client authentication (now
known as credential encryption) was enabled. Authentication surrogates allow you to
associate transactions with a user either by IP address or cookie after the user has
authenticated successfully.
In AsyncOS for Web 6.0, you can configure authentication surrogates for both transparent
and explicit forward deployments whether or not credential encryption is enabled.
and explicit forward deployments whether or not credential encryption is enabled.
For more information, see “Configuring Global Authentication Settings” on page 353 and see
“Tracking Authenticated Users” on page 369.
“Tracking Authenticated Users” on page 369.
User Attribute Based Authentication
In AsyncOS for Web 6.0, when you enable group authorization in an LDAP authentication
realm, you can group users by the LDAP user object as well as by group object. In previous
realm, you can group users by the LDAP user object as well as by group object. In previous