Cisco Cisco Web Security Appliance S380 User Guide
5-5
AsyncOS 8.8 for Cisco Web Security Appliances User Guide
Chapter 5 Acquire End-User Credentials
Authentication Planning
Active Directory/NTLMSSP
LDAP/Basic
Identifying Users Transparently
Traditionally, users are identified and authenticated by prompting them to enter a user name and
password. These credentials are validated against an authentication server, and then the Web Proxy
applies the appropriate policies to the transaction based on the authenticated user name.
password. These credentials are validated against an authentication server, and then the Web Proxy
applies the appropriate policies to the transaction based on the authenticated user name.
Explicit Forward
Transparent
Advantages:
•
Because the password is not transmitted to the
authentication server, it is more secure
authentication server, it is more secure
•
Connection is authenticated, not the host or IP address
•
Achieves true single sign-on in an Active Directory
environment when the client applications are
configured to trust the Web Security appliance
environment when the client applications are
configured to trust the Web Security appliance
Disadvantages:
•
Moderate overhead: each new connection needs to be
re-authenticated
re-authenticated
•
Primarily supported on Windows only and with major
browsers only
browsers only
Advantages:
•
More Flexible
Transparent NTLMSSP authentication is similar to transparent
Basic authentication except that the Web Proxy communicates
with clients using challenge and response instead of basic clear
text username and password.
Basic authentication except that the Web Proxy communicates
with clients using challenge and response instead of basic clear
text username and password.
The advantages and disadvantages of using transparent NTLM
authentication are the same as those of using transparent Basic
authentication except that transparent NTLM authentication
has the added advantaged of not sending the password to the
authentication server and you can achieve single sign-on
when the client applications are configured to trust the Web
Security appliance.
authentication are the same as those of using transparent Basic
authentication except that transparent NTLM authentication
has the added advantaged of not sending the password to the
authentication server and you can achieve single sign-on
when the client applications are configured to trust the Web
Security appliance.
Explicit Forward
Transparent
Advantages:
•
RFC-based
•
More browser support than NTLM
•
Minimal overhead
•
Works for HTTPS (CONNECT) requests
Disadvantages:
•
No single sign-on
•
Password sent as clear text (Base64) for every request
Workarounds:
•
Advantages:
•
More Flexible than explicit forward.
•
More browser support than NTLM
•
With user agents that do not support authentication, users
only need to authenticate first in a supported browser
only need to authenticate first in a supported browser
•
Relatively low overhead
•
Works for HTTPS requests if the user has previously
authenticated with an HTTP request
authenticated with an HTTP request
Disadvantages:
•
No single sign-on
•
Password is sent as clear text (Base64)
•
Authentication credentials are associated with the IP address,
not the user (does not work in Citrix and RDP environments,
or if the user changes IP address)
not the user (does not work in Citrix and RDP environments,
or if the user changes IP address)
Workarounds:
•