Cisco Cisco Web Security Appliance S670 User Guide
A L L O W I N G G U E S T A C C E S S T O U S E R S W H O F A I L A U T H E N T I C A T I O N
C H A P T E R 7 : I D E N T I T I E S
135
A L L O W I N G G U E S T A C C E S S T O U S E R S W H O FA I L A U T H E N T I C A T I O N
You can grant limited access to users who fail authentication due to invalid credentials. By
default, when a client passes invalid authentication credentials, the Web Proxy continually
requests valid credentials, essentially blocking access to all Internet resources. However,
when you allow guest access, the first time the client passes invalid authentication
credentials, the user is treated as a guest and the Web Proxy does not request authentication
again.
default, when a client passes invalid authentication credentials, the Web Proxy continually
requests valid credentials, essentially blocking access to all Internet resources. However,
when you allow guest access, the first time the client passes invalid authentication
credentials, the user is treated as a guest and the Web Proxy does not request authentication
again.
You might want to grant guest access to users in the following situations:
• A visitor comes to the office and needs to be granted restrictive Internet access, but is not
in the corporate user directory.
• An employee from another branch location (or from an acquired company) comes to the
corporate headquarters, and needs Internet access. The user directories of the branch
location (or acquired company) and corporate headquarters are separate, so the
employee’s credentials do not work in the corporate headquarters.
location (or acquired company) and corporate headquarters are separate, so the
employee’s credentials do not work in the corporate headquarters.
• A new hire has been provided credentials in an email but they are not yet populated in
the authentication server.
• A user logs into a Windows workstation using a local account instead of a Windows
domain account and the user needs access to the Internet.
The authentication server administrator in your organization can create a guest user account
in the user directory. However, allowing guest access through the Web Security appliance has
the benefit that the administrator does not have to communicate the guest credentials to every
visitor.
in the user directory. However, allowing guest access through the Web Security appliance has
the benefit that the administrator does not have to communicate the guest credentials to every
visitor.
To grant guest access to users who fail authentication, you create an Identity that requires
authentication, but also allows guest privileges. Then you create another policy using that
Identity and apply that policy to the guest users. When users who fail authentication have
guest access, they can access the resources defined in the policy group that specifies guest
access for that Identity.
authentication, but also allows guest privileges. Then you create another policy using that
Identity and apply that policy to the guest users. When users who fail authentication have
guest access, they can access the resources defined in the policy group that specifies guest
access for that Identity.
A user who fails authentication has all transactions blocked if either of the following
conditions are true:
conditions are true:
• Guest privileges are not provided in any Identity.
• The user does not match any Identity that provides guest privileges.
A user who fails authentication has transactions allowed when all of the following conditions
are true:
are true:
• The user matches an Identity with guest privileges.
• A non-Identity policy group uses that Identity and applies to guest users.
For example, you can create an Access or Decryption Policy that is specific to guest users.