Cisco Cisco Web Security Appliance S670 User Guide
7-5
Cisco IronPort AsyncOS 7.1 for Web User Guide
OL-23207-01
Chapter 7 Identities
Evaluating Identity Group Membership
Figure 7-1
Identity Groups that Require Authentication
To define authentication requirements for an Identity group, you can choose an
authentication realm or sequence that applies to the Identity group.
authentication realm or sequence that applies to the Identity group.
Note
You can specify the authorized users when you use the Identity in a non-Identity
policy group.
policy group.
Consider the following rules and guidelines when creating and ordering Identity
groups:
groups:
•
Identity group order. All Identity groups that do not require authentication
must be above Identity groups that require authentication.
must be above Identity groups that require authentication.
•
Cookie-based authentication. When the appliance is configured to use
cookie-based authentication surrogates, it does not get cookie information
from clients for HTTPS and FTP over HTTP requests. Therefore, it cannot get
the user name from the cookie. How HTTPS and FTP over HTTP requests are
matched against the Identity groups varies based on other factors. For more
information, see
cookie-based authentication surrogates, it does not get cookie information
from clients for HTTPS and FTP over HTTP requests. Therefore, it cannot get
the user name from the cookie. How HTTPS and FTP over HTTP requests are
matched against the Identity groups varies based on other factors. For more
information, see
•
Identity uniqueness. Verify the Identity group membership requirements are
unique for each Identity group. If two Identity groups require the exact same
membership, then client requests never match the lower Identity group. If any
non-Identity policy uses the lower Identity group, client requests never match
that policy.
unique for each Identity group. If two Identity groups require the exact same
membership, then client requests never match the lower Identity group. If any
non-Identity policy uses the lower Identity group, client requests never match
that policy.