Cisco Cisco Web Security Appliance S690 User Guide
5-33
AsyncOS 9.0 for Cisco Web Security Appliances User Guide
Chapter 5 Acquire End-User Credentials
Credentials
Related Information
•
.
•
See also the description of the Authentication Surrogates options in
.
Tracking Re-Authenticated Users
With re-authentication, if a more privileged user authenticates and is authorized, the Web Proxy caches
this user identity for different amounts of time depending on the authentication surrogates configured:
this user identity for different amounts of time depending on the authentication surrogates configured:
•
Session cookie. The privileged user identity is used until the browser is closed or the session
times out.
times out.
•
Persistent cookie. The privileged user identity is used until the surrogate times out.
•
IP address. The privileged user identity is used until the surrogate times out.
•
No surrogate. By default, the Web Proxy requests authentication for every new connection, but
when re-authentication is enabled, the Web Proxy requests authentication for every new request, so
there is an increased load on the authentication server when using NTLMSSP. The increase in
authentication activity may not be apparent to a user, however, because most browsers will cache
the privileged user credentials and authenticate without prompting until the browser is closed. Also,
when the Web Proxy is deployed in transparent mode, and the “Apply same surrogate settings to
explicit forward requests” option is not enabled, no authentication surrogates are used for explicit
forward requests and increased load will occur with re-authentication.
when re-authentication is enabled, the Web Proxy requests authentication for every new request, so
there is an increased load on the authentication server when using NTLMSSP. The increase in
authentication activity may not be apparent to a user, however, because most browsers will cache
the privileged user credentials and authenticate without prompting until the browser is closed. Also,
when the Web Proxy is deployed in transparent mode, and the “Apply same surrogate settings to
explicit forward requests” option is not enabled, no authentication surrogates are used for explicit
forward requests and increased load will occur with re-authentication.
Note
If the Web Security appliance uses cookies for authentication surrogates, Cisco recommends enabling
credential encryption.
credential encryption.
Credentials
Authentication credentials are obtained from users by either prompting them to enter their credentials
through their browsers, or another client application, or by obtaining the credentials transparently from
another source.
through their browsers, or another client application, or by obtaining the credentials transparently from
another source.
•
•
•
•
Tracking Credentials for Reuse During a Session
Using authentication surrogates, after a user authenticates once during a session, you can track
credentials for reuse throughout that session rather than having the user authenticate for each new
request. Authentication surrogates may be based on the IP address of the user’s workstation or on a
cookie that is assigned to the session.
credentials for reuse throughout that session rather than having the user authenticate for each new
request. Authentication surrogates may be based on the IP address of the user’s workstation or on a
cookie that is assigned to the session.