Cisco Cisco Web Security Appliance S690 User Guide
6-11
Cisco IronPort AsyncOS 7.0 for Web User Guide
OL-23079-01
Chapter 6 Working with Policies
Policy Group Membership
Authentication is the mechanism by which the Web Proxy securely identifies a
user. It answers the following questions:
user. It answers the following questions:
•
Who is the user?
•
Is the user really whom he/she claims to be?
Authorization is the mechanism by which the Web Proxy determines the level of
access the user has to the World Wide Web. It answers the following questions:
access the user has to the World Wide Web. It answers the following questions:
•
Is this user allowed to view this website?
•
Is this user allowed to connect to this HTTPS server without the connection
being decrypted?
being decrypted?
•
Is this user allowed to directly connect to the web server, or must it connect
to another proxy server first?
to another proxy server first?
•
Is this user allowed to upload this data?
The Web Proxy can only authorize a user to access an Internet resource after it
authenticates who the user is. The Web Proxy authenticates users when it
evaluates Identity groups, and it authorizes users when it evaluates all other policy
group types. What that means is the Identity group indicates who is making the
request, but does not indicate whether that client is allowed to make the request.
authenticates who the user is. The Web Proxy authenticates users when it
evaluates Identity groups, and it authorizes users when it evaluates all other policy
group types. What that means is the Identity group indicates who is making the
request, but does not indicate whether that client is allowed to make the request.
By separating authentication from authorization, you can create a single Identity
group that identifies a group of users and then you can create multiple policy
groups that allow different levels of access to subsets of users in the group in the
Identity.
group that identifies a group of users and then you can create multiple policy
groups that allow different levels of access to subsets of users in the group in the
Identity.
For example, you can create one Identity group that covers all users in an
authentication sequence. Then you can create an Access Policy group for each
authentication realm in the sequence. You can also use this Identity to create one
Decryption Policy with the same level of access for all users in the Identity.
authentication sequence. Then you can create an Access Policy group for each
authentication realm in the sequence. You can also use this Identity to create one
Decryption Policy with the same level of access for all users in the Identity.
Working with Failed Authentication and Authorization
You can allow users another opportunity to access the web if they fail
authentication or authorization. How you configure the Web Security appliance
depends on what fails:
authentication or authorization. How you configure the Web Security appliance
depends on what fails:
•
Authentication. When authentication fails, you can grant guest access to the
user. Authentication might fail under the following circumstances:
user. Authentication might fail under the following circumstances:
–
A new hire has been provided credentials in an email but they are not yet
populated in the authentication server.
populated in the authentication server.