Cisco Cisco Web Security Appliance S670 User Guide

If an Identity allows guest access and there is no user-defined policy that uses that Identity, users who 
fail authentication match the global policy of the applicable policy type. For example, if MyIdentity 
allows guest access and there is no user-defined Access Policy that uses MyIdentity, users who fail 
authentication match the global Access Policy. If you do not want guest users to match a global policy, 
create a policy above the global policy that applies to guest users and blocks all access.

Choose Web Security Manager > Identities.

Click Add Identity to add a new identity, or click the name of an existing identity that you wish to use.

Check the Support Guest Privileges check box.

Submit and commit your changes.

Choose a policy type from the Web Security Manager menu.

Click a policy name in the policies table.

Choose Select One Or More Identities from the Identities And Users drop-down list (if not already 
chosen).

Choose an identity that supports guest access from the drop-down list in the Identity column.

Click the Guests (Users Failing Authentication) radio button.

If this option is not available it means the identity you chose is not configured to support guest 
access. Return to step 

 and choose another, or see 

 to define a new one.

Submit and commit your changes.

Choose Network > Authentication. 

Click Edit Global Settings.

Click a Log Guest User By radio button, described below, in the Failed Authentication Handling field.

IP Address

The IP address of the guest user’s client will be logged in the access logs.

User Name As Entered By 
End-User

The user name that originally failed authentication will be logged in the 
access logs.