Cisco Cisco Web Security Appliance S690 User Guide
5-6
AsyncOS 9.1.1 for Cisco Web Security Appliances User Guide
Chapter 5 Acquire End-User Credentials
Authentication Planning
However, you can configure the Web Security appliance to authenticate users transparently—that is,
without prompting the end user for credentials. Transparent identification authenticates the user by
means of credentials obtained from another trusted source, with the assumption that the user has already
been authenticated by that trusted source, and then applies the appropriate policies.
without prompting the end user for credentials. Transparent identification authenticates the user by
means of credentials obtained from another trusted source, with the assumption that the user has already
been authenticated by that trusted source, and then applies the appropriate policies.
You might want to identify users transparently to:
•
Create a single sign-on environment so users are not aware of the presence of a proxy on the network.
•
To apply authentication-based policies to transactions coming from client applications that are
incapable of displaying an authentication prompt to end users.
incapable of displaying an authentication prompt to end users.
Identifying users transparently only affects how the Web Proxy obtains the user name and assigns an
Identification Profile. After it obtains the user name and assigns an Identification Profile, it applies all
other policies normally, regardless of how it assigned the Identification Profile.
Identification Profile. After it obtains the user name and assigns an Identification Profile, it applies all
other policies normally, regardless of how it assigned the Identification Profile.
If transparent authentication fails, you can configure how to handle the transaction: you can grant the
user guest access, or you can force an authentication prompt to appear to the user.
user guest access, or you can force an authentication prompt to appear to the user.
When an end user is shown an authentication prompt due to failed transparent user identification, and
the user then fails authentication due to invalid credentials, you can choose whether to allow the user
guest access.
the user then fails authentication due to invalid credentials, you can choose whether to allow the user
guest access.
Note
When you enable re-authentication and a transaction is blocked by URL filtering, an end-user
notification page appears with the option to log in as a different user. Users who click the link are
prompted for authentication. For more information, see
notification page appears with the option to log in as a different user. Users who click the link are
prompted for authentication. For more information, see
Understanding Transparent User Identification
The available methods of transparent user identification are:
•
Transparently identify users with ISE – Available when the Identity Services Engine (ISE) service
is enabled (Network > Identity Services Engine). For these transactions, the user name and
associated Secure Group Tags will be obtained from an Identity Services Engine server. See
is enabled (Network > Identity Services Engine). For these transactions, the user name and
associated Secure Group Tags will be obtained from an Identity Services Engine server. See
.
•
Transparently identify users with ASA – Users are identified by the current IP address-to-user
name mapping received from a Cisco Adaptive Security Appliance (for remote users only). This
option is available when AnyConnect Secure Mobility is enabled and integrated with an ASA. The
user name will be obtained from the ASA, and associated directory groups will be obtained from the
authentication realm or sequence specified on the Web Security appliance. See
name mapping received from a Cisco Adaptive Security Appliance (for remote users only). This
option is available when AnyConnect Secure Mobility is enabled and integrated with an ASA. The
user name will be obtained from the ASA, and associated directory groups will be obtained from the
authentication realm or sequence specified on the Web Security appliance. See
•
Transparently identify users with authentication realms – This option is available when one or
more authentication realms are configured to support transparent identification using one of the
following authentication servers:
more authentication realms are configured to support transparent identification using one of the
following authentication servers:
–
Active Directory – Create an NTLM or Kerberos authentication realm and enable transparent
user identification. In addition, you must deploy a separate Active Directory agent such as
Cisco’s Context Directory Agent. For more information, see
user identification. In addition, you must deploy a separate Active Directory agent such as
Cisco’s Context Directory Agent. For more information, see
Transparent User Identification
with Active Directory, page 5-7
.
–
LDAP – Create an LDAP authentication realm configured as an eDirectory, and enable
transparent user identification. For more information, see
transparent user identification. For more information, see
Transparent User Identification with
LDAP, page 5-8
.
AsyncOS for Web communicates at regular intervals with eDirectory or an Active Directory agent
to maintain mappings that match authenticated user names to their current IP addresses.
to maintain mappings that match authenticated user names to their current IP addresses.