Cisco Cisco Web Security Appliance S670 User Guide
Chapter 20 Authentication
Understanding How Authentication Works
20-12
Cisco IronPort AsyncOS 7.0 for Web User Guide
OL-23079-01
lists advantages and disadvantages of using transparent Basic
authentication and cookie-based credential caching.
Table 20-6
Pros and Cons of Transparent Basic Authentication—Cookie
Caching
Caching
Advantages
Disadvantages
•
Works with all major browsers
•
Authentication is associated
with the user rather than the
host or IP address
with the user rather than the
host or IP address
•
Each new web domain requires the
entire authentication process because
cookies are domain specific
entire authentication process because
cookies are domain specific
•
Requires cookies to be enabled
•
Does not work for HTTPS requests
•
No single sign-on
•
Password is sent as clear text (Base64)
Explicit Forward Deployment, NTLM Authentication
The Web Proxy uses a third party challenge and response system to authenticate
users on the network.
users on the network.
The authentication process comprises these steps:
Step 1
Client sends a request to the Web Proxy to connect to a web page.
Step 2
Web Proxy responds with a 407 HTTP response “Proxy Authentication
Required.”
Required.”
Step 3
Clients repeats request and includes a “Proxy-Authorization” HTTP header with
an NTLM “negotiate” message.
an NTLM “negotiate” message.
Step 4
Web Proxy responds with a 407 HTTP response and an NTLM “challenge”
message based on the negotiate message from the client.
message based on the negotiate message from the client.
Step 5
Client repeats the request and includes a response to the challenge message.
Note
The client uses an algorithm based on its password to modify the
challenge and sends the challenge response to the Web Proxy.
challenge and sends the challenge response to the Web Proxy.