Cisco Cisco Web Security Appliance S690 User Guide
20-4
Cisco IronPort AsyncOS 7.7 for Web User Guide
Chapter 20 Authentication
Understanding How Authentication Works
•
Client application cannot perform authentication. Some clients cannot perform authentication or
cannot perform the type of authentication that is required. If a client application causes
authentication to fail, you can define an Identity policy based on the user agent and exclude it from
requiring authentication. Or, you can define an Identity policy based on a custom URL category to
exclude all clients from requiring authentication when accessing particular URLs.
cannot perform the type of authentication that is required. If a client application causes
authentication to fail, you can define an Identity policy based on the user agent and exclude it from
requiring authentication. Or, you can define an Identity policy based on a custom URL category to
exclude all clients from requiring authentication when accessing particular URLs.
•
Authentication server is unavailable. An authentication server might be unavailable if the network
connection is broken or if the server is experiencing a problem. To avoid this problem, configure the
“Action if Authentication Service Unavailable” global authentication setting. For more information,
see
connection is broken or if the server is experiencing a problem. To avoid this problem, configure the
“Action if Authentication Service Unavailable” global authentication setting. For more information,
see
.
•
Invalid credentials. When a client passes invalid authentication credentials, the Web Proxy
continually requests valid credentials, essentially blocking access to the web by default. However,
you can grant limited access to users who fail authentication. For more information, see
continually requests valid credentials, essentially blocking access to the web by default. However,
you can grant limited access to users who fail authentication. For more information, see
Note
You can configure the Web Proxy to request authentication again if an authenticated user is blocked from
a website due to restrictive URL filtering or being prevented from logging into multiple machines
simultaneously. To do this, enable the “Enable Re-Authentication Prompt If End User Blocked by URL
Category or User Session Restriction” global authentication setting. For more information, see
a website due to restrictive URL filtering or being prevented from logging into multiple machines
simultaneously. To do this, enable the “Enable Re-Authentication Prompt If End User Blocked by URL
Category or User Session Restriction” global authentication setting. For more information, see
Working with Windows 7 and Windows Vista
Windows 7 and Windows Vista machines have a feature called Network Connectivity Status Indicator
(NCSI). When clients on your network use NCSI and the Web Security appliance uses NTLMSSP
authentication, you should configure the appliance so it uses a relatively small timeout value for machine
credentials. Do this using the
(NCSI). When clients on your network use NCSI and the Web Security appliance uses NTLMSSP
authentication, you should configure the appliance so it uses a relatively small timeout value for machine
credentials. Do this using the
advancedproxyconfig > authentication
CLI command:
Enter the surrogate timeout for machine credentials.
When NCSI is running on a Windows machine, it checks for network connectivity by making HTTP
requests. When the machine running NCSI is prompted to authenticate (the request is assigned an
Identity Policy that requires authentication), NCSI authenticates using the machine’s credentials instead
of the user’s credentials.
requests. When the machine running NCSI is prompted to authenticate (the request is assigned an
Identity Policy that requires authentication), NCSI authenticates using the machine’s credentials instead
of the user’s credentials.
When the Identity Policy uses IP based surrogates, subsequent requests from the user might be assigned
an incorrect Access Policy as the user would be identified using the machine credentials instead of the
user’s own credentials.
an incorrect Access Policy as the user would be identified using the machine credentials instead of the
user’s own credentials.
You can use the
advancedproxyconfig > authentication
CLI command to specify how long the IP
address surrogate is used for machine credentials before requiring authentication again. The Web Proxy
differentiates between user and machine credentials.
differentiates between user and machine credentials.
Understanding How Authentication Works
To authenticate users who access the web, the Web Security appliance connects to an external
authentication server. The authentication server contains a list of users and their corresponding
passwords and it organizes the users into a hierarchy. For users on the network to successfully
authenticate, they must provide valid authentication credentials (user name and password as stored in
the authentication server).
authentication server. The authentication server contains a list of users and their corresponding
passwords and it organizes the users into a hierarchy. For users on the network to successfully
authenticate, they must provide valid authentication credentials (user name and password as stored in
the authentication server).