Cisco Cisco Web Security Appliance S380 User Guide
5-8
AsyncOS 9.1.1 for Cisco Web Security Appliances User Guide
Chapter 5 Acquire End-User Credentials
Authentication Planning
Note
The Active Directory agent instance used to communicate with the Web Security appliance
can also support other appliances, including Cisco’s Adaptive Security Appliance and other Web
Security appliances.
can also support other appliances, including Cisco’s Adaptive Security Appliance and other Web
Security appliances.
Obtaining, Installing, and Configuring Cisco’s Context Directory Agent
You can find information about downloading, installing, and configuring the Cisco Context Directory
Agent here:
Agent here:
.
Note
The Web Security appliance and Active Directory agent communicate with each other using the
RADIUS protocol. The appliance and the agent must be configured with the same shared secret to
obfuscate user passphrases. Other user attributes are not obfuscated.
RADIUS protocol. The appliance and the agent must be configured with the same shared secret to
obfuscate user passphrases. Other user attributes are not obfuscated.
Transparent User Identification with LDAP
AsyncOS for Web can communicate with an eDirectory server configured as a Lightweight Directory
Access Protocol (LDAP) realms maintaining IP-address-to-user-name mappings. When a user logs in
through an eDirectory client, the user is authenticated against the eDirectory server. When authentication
succeeds, the client IP address is recorded in the eDirectory server as an attribute (
Access Protocol (LDAP) realms maintaining IP-address-to-user-name mappings. When a user logs in
through an eDirectory client, the user is authenticated against the eDirectory server. When authentication
succeeds, the client IP address is recorded in the eDirectory server as an attribute (
NetworkAddress
) of
the user who logged in.
Consider the following when you identify users transparently using LDAP (eDirectory):
•
The eDirectory client must be installed on each client workstation, and end users must use it to
authenticate against an eDirectory server.
authenticate against an eDirectory server.
•
The LDAP tree used by the eDirectory client log-in must be the same LDAP tree configured in the
authentication realm.
authentication realm.
•
If the eDirectory clients use multiple LDAP trees, create an authentication realm for each tree, and
then create an authentication sequence that uses each LDAP authentication realm.
then create an authentication sequence that uses each LDAP authentication realm.
•
When you configure the LDAP authentication realm as an eDirectory, you must specify a Bind DN
for the query credentials.
for the query credentials.
•
The eDirectory server must be configured to update the
NetworkAddress
attribute of the user object
when a user logs in.
•
AsyncOS for Web searches only direct parent groups for a user. It does not search nested groups.
•
You can use the
NetworkAddress
attribute for an eDirectory user to determine the most-recent log-in
IP address for the user.
Rules and Guidelines for Transparent User Identification
Consider the following rules and guidelines when using transparent user identification with any
authentication server:
authentication server:
•
When using DHCP to assign IP addresses to client machines, ensure the IP-address-to-user-name
mappings are updated on the Web Security appliance more frequently than the DHCP lease. Use the
mappings are updated on the Web Security appliance more frequently than the DHCP lease. Use the
tuiconfig
CLI command to update the mapping update interval. For more information, see
•
If a user logs out of a machine and another user logs into the same machine before the IP-address-to
user-name mapping is updated on the Web Security appliance, then the Web Proxy logs the client as
the previous user.
user-name mapping is updated on the Web Security appliance, then the Web Proxy logs the client as
the previous user.