Cisco Cisco Web Security Appliance S690 User Guide
![Cisco](https://files.manualsbrain.com/attachments/7380d0050044647c30f5c24bbbf5d0c0b6d9bb84/common/fit/150/50/faa183d287233c52228cfea3dbc2a127fe780f60564fcb0955d9c3d1cd23/brand_logo.png)
6-4
AsyncOS 9.2 for Cisco Web Security Appliances User Guide
Chapter 6 Classify End-Users and Client Software
Classifying Users and Client Software
There are two types of methods: exempt from authentication/identification and authenticate users.
a.
Choose an identification method from the User Identification Method drop-down list.
Note
When at least one Identification Profile with authentication or transparent identification is
configured, the policy tables will support defining policy membership using user names,
directory groups, and Secure Group Tags.
configured, the policy tables will support defining policy membership using user names,
directory groups, and Secure Group Tags.
b.
Supply parameters appropriate to the chosen method. Not all of the sections described in this table are
visible for each choice.
visible for each choice.
Option
Description
Exempt from authentication/
identification
identification
Users are identified primarily by IP address. No additional parameters
are required.
are required.
Authenticate users
Users are identified by the authentication credentials they enter.
Authentication Realm
Select a Realm or Sequence – choose a defined authentication realm
or sequence.
or sequence.
Select a Scheme – Choose an authentication scheme:
•
Kerberos – The client is transparently authenticated by means of
Kerberos tickets.
Kerberos tickets.
•
Basic – The client always prompts users for credentials. After the
user enters credentials, browsers typically offer a check box to
remember the provided credentials. Each time the user opens the
browser, the client either prompts for credentials or resends the
previously saved credentials.
user enters credentials, browsers typically offer a check box to
remember the provided credentials. Each time the user opens the
browser, the client either prompts for credentials or resends the
previously saved credentials.
Credentials are sent unsecured as clear text (Base64). A packet
capture between the client and Web Security appliance can reveal
the user name and passphrase.
capture between the client and Web Security appliance can reveal
the user name and passphrase.
•
NTLMSSP – The client transparently authenticates using its
Windows login credentials. The user is not prompted for credentials.
Windows login credentials. The user is not prompted for credentials.
However, the client prompts the user for credentials under the
following circumstances:
following circumstances:
–
The Windows credentials failed.
–
The client does not trust the Web Security appliance because of
browser security settings.
browser security settings.
Credentials are sent securely using a three-way handshake (digest style
authentication). The passphrase is never sent across the connection.
authentication). The passphrase is never sent across the connection.
•
Support Guest privileges – Check this box to grant guest access to
users who fail authentication due to invalid credentials.
users who fail authentication due to invalid credentials.