Cisco Cisco Web Security Appliance S670 User Guide
6-4
AsyncOS 9.0.1 for Cisco Web Security Appliances User Guide
Chapter 6 Classify End-Users and Client Software
Classifying Users and Client Software
There are three types of methods: exempt from authentication/identification, authenticate users, and
three ways to transparently identify users: ISE, ASA (via AnyConnect Secure Mobility), or an
appropriately configured authentication realm. The latter includes either an Active Directory realm, or
an LDAP realm configured as a Novell eDirectory.
three ways to transparently identify users: ISE, ASA (via AnyConnect Secure Mobility), or an
appropriately configured authentication realm. The latter includes either an Active Directory realm, or
an LDAP realm configured as a Novell eDirectory.
a.
Choose an identification method from the User Identification Method drop-down list.
Note
When at least one Identification Profile with authentication or transparent identification is
configured, the policy tables will support defining policy membership using user names,
directory groups, and Secure Group Tags.
configured, the policy tables will support defining policy membership using user names,
directory groups, and Secure Group Tags.
b.
Supply parameters appropriate to the chosen method. Not all of the sections described in this table are
visible for each choice.
visible for each choice.
Option
Description
Exempt from authentication/
identification
identification
Users are identified primarily by IP address. No additional parameters
are required.
are required.
Authenticate users
Users are identified by the authentication credentials they enter.
Transparently identify users
with ISE
with ISE
Available when the ISE service is enabled (Network > Identity Services
Engine). For these transactions, the user name and associated Secure
Group Tags will be obtained from the Identity Services Engine. For
more information, see
Engine). For these transactions, the user name and associated Secure
Group Tags will be obtained from the Identity Services Engine. For
more information, see
.
Transparently identify users
with ASA
with ASA
Users are identified by the current IP address-to-user name mapping
received from a Cisco Adaptive Security Appliance (for remote users
only). This option appears when Secure Mobility is enabled and
integrated with an ASA. The user name will be obtained from the ASA,
and associated directory groups will be obtained from the selected
authentication realm or sequence.
received from a Cisco Adaptive Security Appliance (for remote users
only). This option appears when Secure Mobility is enabled and
integrated with an ASA. The user name will be obtained from the ASA,
and associated directory groups will be obtained from the selected
authentication realm or sequence.
Transparently identify users
with authentication realm
with authentication realm
This option is available when one or more authentication realms are
configured to support transparent identification.
configured to support transparent identification.
Fallback to Authentication
Realm or Guest Privileges
Realm or Guest Privileges
If user authentication is not available from ISE:
•
Support Guest Privileges – The transaction will be allowed to
continue, and will match subsequent policies for Guest users from
all Identification Profiles.
continue, and will match subsequent policies for Guest users from
all Identification Profiles.
•
Block Transactions – Do not allow Internet access to users who
cannot be identified by ISE.
cannot be identified by ISE.
•
Support Guest privileges – Check this box to grant guest access to
users who fail authentication due to invalid credentials.
users who fail authentication due to invalid credentials.