Cisco Cisco Web Security Appliance S670 User Guide
7-13
Cisco IronPort AsyncOS 7.0 for Web User Guide
OL-23079-01
Chapter 7 Identities
Allowing Guest Access to Users Who Fail Authentication
Allowing Guest Access to Users Who Fail
Authentication
Authentication
You can grant limited access to users who fail authentication due to invalid
credentials. By default, when a client passes invalid authentication credentials,
the Web Proxy continually requests valid credentials, essentially blocking access
to all Internet resources. However, when you allow guest access, the first time the
client passes invalid authentication credentials, the user is treated as a guest and
the Web Proxy does not request authentication again.
credentials. By default, when a client passes invalid authentication credentials,
the Web Proxy continually requests valid credentials, essentially blocking access
to all Internet resources. However, when you allow guest access, the first time the
client passes invalid authentication credentials, the user is treated as a guest and
the Web Proxy does not request authentication again.
You might want to grant guest access to users in the following situations:
•
A visitor comes to the office and needs to be granted restrictive Internet
access, but is not in the corporate user directory.
access, but is not in the corporate user directory.
•
An employee from another branch location (or from an acquired company)
comes to the corporate headquarters, and needs Internet access. The user
directories of the branch location (or acquired company) and corporate
headquarters are separate, so the employee’s credentials do not work in the
corporate headquarters.
comes to the corporate headquarters, and needs Internet access. The user
directories of the branch location (or acquired company) and corporate
headquarters are separate, so the employee’s credentials do not work in the
corporate headquarters.
•
A new hire has been provided credentials in an email but they are not yet
populated in the authentication server.
populated in the authentication server.
•
A user logs into a Windows workstation using a local account instead of a
Windows domain account and the user needs access to the Internet.
Windows domain account and the user needs access to the Internet.
The authentication server administrator in your organization can create a guest
user account in the user directory. However, allowing guest access through the
Web Security appliance has the benefit that the administrator does not have to
communicate the guest credentials to every visitor.
user account in the user directory. However, allowing guest access through the
Web Security appliance has the benefit that the administrator does not have to
communicate the guest credentials to every visitor.
To grant guest access to users who fail authentication, you create an Identity that
requires authentication, but also allows guest privileges. Then you create another
policy using that Identity and apply that policy to the guest users. When users who
fail authentication have guest access, they can access the resources defined in the
policy group that specifies guest access for that Identity.
requires authentication, but also allows guest privileges. Then you create another
policy using that Identity and apply that policy to the guest users. When users who
fail authentication have guest access, they can access the resources defined in the
policy group that specifies guest access for that Identity.
A user who fails authentication has all transactions blocked if either of the
following conditions are true:
following conditions are true:
•
Guest privileges are not provided in any Identity.
•
The user does not match any Identity that provides guest privileges.