Cisco Cisco Web Security Appliance S360 User Guide
20-37
Cisco IronPort AsyncOS 7.0 for Web User Guide
OL-23079-01
Chapter 20 Authentication
Configuring Global Authentication Settings
Sending Authentication Credentials Securely
When authentication is used to identify clients using the Web, the client
applications send the authentication credentials to the Web Proxy, which in turn
passes them to the authentication server. How the credentials are passed from the
clients to the Web Proxy depends on the authentication scheme used:
applications send the authentication credentials to the Web Proxy, which in turn
passes them to the authentication server. How the credentials are passed from the
clients to the Web Proxy depends on the authentication scheme used:
•
NTLMSSP. The credentials are always passed to the Web Proxy securely.
They are encrypted using a key specified by the Active Directory server and
sent over HTTP.
They are encrypted using a key specified by the Active Directory server and
sent over HTTP.
•
Basic. By default, the credentials are passed to the Web Proxy insecurely.
They are encoded, but not encrypted, and sent over HTTP. However, you can
configure the Web Security appliance so clients send authentication
credentials securely. This works for both LDAP and NTLM Basic
authentication.
They are encoded, but not encrypted, and sent over HTTP. However, you can
configure the Web Security appliance so clients send authentication
credentials securely. This works for both LDAP and NTLM Basic
authentication.
When you configure the appliance to use credential encryption for Basic
authentication, the Web Proxy redirects the client back to the Web Proxy, but this
time using an encrypted connection using HTTPS. The client application makes
either a GET or a CONNECT request depending on how the requests are
forwarded to the appliance (explicitly or transparently) and how the client
application is configured to forward HTTPS requests, either using the Web Proxy
or not.
authentication, the Web Proxy redirects the client back to the Web Proxy, but this
time using an encrypted connection using HTTPS. The client application makes
either a GET or a CONNECT request depending on how the requests are
forwarded to the appliance (explicitly or transparently) and how the client
application is configured to forward HTTPS requests, either using the Web Proxy
or not.
Then, using the secure HTTPS connection, the clients send the authentication
credentials. The appliance uses its own certificate and private key to create an
HTTPS connection with the client by default. Most browsers will warn users that
the certificate is not valid. To prevent users from seeing the invalid certificate
message, you can upload a certificate and key pair your organization uses. When
you upload a certificate and key, the private key must be unencrypted. For
information about uploading a certificate and key, see
credentials. The appliance uses its own certificate and private key to create an
HTTPS connection with the client by default. Most browsers will warn users that
the certificate is not valid. To prevent users from seeing the invalid certificate
message, you can upload a certificate and key pair your organization uses. When
you upload a certificate and key, the private key must be unencrypted. For
information about uploading a certificate and key, see
.
To configure the appliance to use credential encryption, enable the Credential
Encryption setting in the global authentication settings. For more information, see
Encryption setting in the global authentication settings. For more information, see
. You can also use the
advancedproxyconfig > authentication
CLI command. For more information,
see