Cisco Cisco Web Security Appliance S690 User Guide
5-10
AsyncOS 9.0 for Cisco Web Security Appliances User Guide
Chapter 5 Acquire End-User Credentials
Authentication Planning
–
Configure proxy cache timeout for Active Directory agent
– Length of time, in seconds,
proxy-specific IP-address-to-user mappings are cached; valid values range from five to 1200
seconds. The default and recommended value is 120 seconds. Specifying a lower value may
negatively affect proxy performance.
seconds. The default and recommended value is 120 seconds. Specifying a lower value may
negatively affect proxy performance.
–
Configure mapping timeout for Novell eDirectory
– Length of time, in seconds, IP-address
to-user mappings are cached for IP addresses retrieved from the eDirectory server when there
are no updates from the server.
are no updates from the server.
–
Configure query wait time for Active Directory agent
– The length of time, in seconds,
to wait for a reply from the Active Directory agent. When the query takes more than this value,
transparent user identification is considered to have failed. This limits the authentication delay
experienced by the end user.
transparent user identification is considered to have failed. This limits the authentication delay
experienced by the end user.
–
Configure query wait time for Novell eDirectory
– The length of time, in seconds, to wait
for a reply from the eDirectory server. When the query takes more than this value, transparent
user identification is considered to have failed. This limits the authentication delay experienced
by the end user.
user identification is considered to have failed. This limits the authentication delay experienced
by the end user.
The Active Directory settings apply to all AD realms using an AD agent for transparent user
identification. The eDirectory settings apply to all LDAP realms using eDirectory for transparent
user identification.
identification. The eDirectory settings apply to all LDAP realms using eDirectory for transparent
user identification.
If validation fails for any one parameter, none of the values will be changed.
•
tuistatus
– This command provides the following AD-related subcommands:
–
adagentstatus
– Displays the current status of all AD agents, as well as information about their
connections with the Windows domain controllers.
–
listlocalmappings
– Lists all IP-address-to-user-name mappings stored on the Web Security
appliance, as retrieved by the AD agent(s). It does not list entries stored on the agent(s), nor
does it list mappings for which queries are currently in progress.
does it list mappings for which queries are currently in progress.
Configuring Single-Sign-on
Obtaining credentials transparently facilitates a single-sign-on environment. Transparent user
identification is an authentication realm setting.
identification is an authentication realm setting.
For Internet Explorer, be sure the Redirect Hostname is the short host name (containing no dots) or the
NetBIOS name rather than a fully qualified domain. Alternatively, you can add the appliance host name
to Internet Explorer’s Local intranet zone (Tools > Internet options > Security tab); however, this will be
required on every client. For more information about this, see
NetBIOS name rather than a fully qualified domain. Alternatively, you can add the appliance host name
to Internet Explorer’s Local intranet zone (Tools > Internet options > Security tab); however, this will be
required on every client. For more information about this, see
With Firefox and other non-Microsoft browsers, the parameters network.negotiate-auth.delegation-uris,
network.negotiate-auth.trusted-uris and network.automatic-ntlm-auth.trusted-uris must be set to the
transparent-mode Redirect Hostname. You also can refer to
network.negotiate-auth.trusted-uris and network.automatic-ntlm-auth.trusted-uris must be set to the
transparent-mode Redirect Hostname. You also can refer to
. This
provides general information about changing Firefox parameters.
, or the CLI
command