Cisco Cisco Web Security Appliance S690 User Guide

The Web Proxy sequentially reads through each Identity group in the Identity 
policies table. It compares the client request status to the membership criteria of 
the first Identity group. If they match, the Web Proxy assigns the Identity group 
to the transaction.

If they do not match, the Web Proxy compares the client request to the next 
Identity group. It continues this process until it matches the client request to a user 
defined Identity group, or if it does not match a user defined Identity group, it 
matches the global Identity policy. When the Web Proxy matches the client 
request to an Identity group or the global Identity policy, it assigns the Identity 
group to the transaction.

If at any time during the comparison process the user fails authentication, the Web 
Proxy terminates the request. For more information about how authentication 
works with Identity groups, see 

After the Web Proxy assigns an Identity to a client request, it evaluates the request 
against the other policy group types. For more information, see the following 
locations:

Requiring authentication for users can help your organization control access to 
the web for groups of users. AsyncOS allows you to create multiple Identity 
groups and define the membership criteria based on authentication requirements.

When authentication is required for an Identity group, a gold key icon appears 
next to the Identity group name in the Policies table, as shown in