Cisco Cisco Web Security Appliance S690 User Guide

There are two types of methods: exempt from authentication/identification and authenticate users.

Choose an identification method from the User Identification Method drop-down list.

When at least one Identification Profile with authentication or transparent identification is 
configured, the policy tables will support defining policy membership using user names, 
directory groups, and Secure Group Tags.

Supply parameters appropriate to the chosen method. Not all of the sections described in this table are 
visible for each choice. 

Users are identified primarily by IP address. No additional parameters 
are required.

Users are identified by the authentication credentials they enter.

Select a Realm or Sequence – choose a defined authentication realm 
or sequence.

Select a Scheme – Choose an authentication scheme:

Kerberos – The client is transparently authenticated by means of 
Kerberos tickets.

Basic – The client always prompts users for credentials. After the 
user enters credentials, browsers typically offer a check box to 
remember the provided credentials. Each time the user opens the 
browser, the client either prompts for credentials or resends the 
previously saved credentials.

Credentials are sent unsecured as clear text (Base64). A packet 
capture between the client and Web Security appliance can reveal 
the user name and passphrase.

NTLMSSP – The client transparently authenticates using its 
Windows login credentials. The user is not prompted for credentials.

However, the client prompts the user for credentials under the 
following circumstances:

The Windows credentials failed.

The client does not trust the Web Security appliance because of 
browser security settings.

Credentials are sent securely using a three-way handshake (digest style 
authentication). The passphrase is never sent across the connection.

Support Guest privileges – Check this box to grant guest access to 
users who fail authentication due to invalid credentials.