Cisco Cisco Web Security Appliance S690 User Guide
Chapter 20 Authentication
Allowing Users to Re-Authenticate
20-40
Cisco IronPort AsyncOS 7.0 for Web User Guide
OL-23079-01
authentication realms defined in the applicable Identity group, and if the new
credentials allow greater access, the requested page appears in the browser. For
more information, see
credentials allow greater access, the requested page appears in the browser. For
more information, see
Note
The Web Proxy evaluates the new credentials against the authentication realms
defined in the applicable Identity group only. It does not compare them against all
other Identity groups.
defined in the applicable Identity group only. It does not compare them against all
other Identity groups.
When a more privileged user authenticates and gets access, the Web Proxy caches
the privileged user identity for different amounts of time depending on the
authentication surrogates configured:
the privileged user identity for different amounts of time depending on the
authentication surrogates configured:
•
Session cookie. The privileged user identity is used until the browser is
closed or the session times out.
closed or the session times out.
•
Persistent cookie. The privileged user identity is used until the surrogate
times out.
times out.
•
IP address. The privileged user identity is used until the surrogate times out.
•
No surrogate. The Web Proxy requests authentication for every new
connection, but most browsers will cache the privileged user credentials and
authenticate without prompting the user until the browser is closed. However,
because the Web Proxy requests authentication for every new connection,
there is an increased impact on the authentication server when using
NTLMSSP.
connection, but most browsers will cache the privileged user credentials and
authenticate without prompting the user until the browser is closed. However,
because the Web Proxy requests authentication for every new connection,
there is an increased impact on the authentication server when using
NTLMSSP.
Note
To use the re-authentication feature with user defined end-user notification pages,
the CGI script that parses the redirect URL must parse and use the Reauth_URL
parameter. For more information, see
the CGI script that parses the redirect URL must parse and use the Reauth_URL
parameter. For more information, see
.
Using Re-Authentication with Internet Explorer
When you enable re-authentication and clients use Microsoft Internet Explorer,
you need to verify certain settings to ensure re-authentication works properly with
Internet Explorer. Due to a known issue with Internet Explorer, re-authentication
does not work properly under the following circumstances:
you need to verify certain settings to ensure re-authentication works properly with
Internet Explorer. Due to a known issue with Internet Explorer, re-authentication
does not work properly under the following circumstances:
•
Internet Explorer is configured to use the Web Security appliance as a proxy.