Cisco Cisco Web Security Appliance S170 Guía Del Usuario
20-3
Cisco IronPort AsyncOS 7.7.5 for Web User Guide
Chapter 20 Authentication
Overview of Authentication
•
NTLMSSP. When NTLMSSP authentication is used to authenticate users, you should only enable
authentication on either the Web Security appliance or the upstream proxy server, but not both.
Cisco recommends configuring the Web Security appliance to use authentication. This allows you
to create policies based on user authentication.
authentication on either the Web Security appliance or the upstream proxy server, but not both.
Cisco recommends configuring the Web Security appliance to use authentication. This allows you
to create policies based on user authentication.
If both the appliance and the upstream proxy use authentication with NTLMSSP, depending on the
configurations, the appliance and upstream proxy might engage in an infinite loop of requesting
authentication credentials. For example, if the upstream proxy requires Basic authentication, but the
appliance requires NTLMSSP authentication, then the appliance can never successfully pass Basic
credentials to the upstream proxy. This is due to limitations in authentication protocols.
configurations, the appliance and upstream proxy might engage in an infinite loop of requesting
authentication credentials. For example, if the upstream proxy requires Basic authentication, but the
appliance requires NTLMSSP authentication, then the appliance can never successfully pass Basic
credentials to the upstream proxy. This is due to limitations in authentication protocols.
•
Basic. When Basic authentication is used to authenticate users, you can enable authentication on
either the appliance or upstream proxy server, or on both the appliance and upstream proxy server.
However, when both the Web Security appliance and upstream proxy server use Basic
authentication, do not enable the Credential Encryption feature on the downstream Web Security
appliance. When Credential Encryption is enabled on the downstream appliance, client requests fail
because the Web Proxy receives a “Authorization” HTTP header from clients, but the upstream
proxy server requires a “Proxy-Authorization” HTTP header.
either the appliance or upstream proxy server, or on both the appliance and upstream proxy server.
However, when both the Web Security appliance and upstream proxy server use Basic
authentication, do not enable the Credential Encryption feature on the downstream Web Security
appliance. When Credential Encryption is enabled on the downstream appliance, client requests fail
because the Web Proxy receives a “Authorization” HTTP header from clients, but the upstream
proxy server requires a “Proxy-Authorization” HTTP header.
Authenticating Users
When users access the web through the Web Security appliance, they might get prompted to enter a user
name and password. The Web Proxy requires authentication credentials for some users depending on the
configured Identity and Access Policy groups. Users should enter the user name and password of the
credentials recognized by the organization’s authentication server.
name and password. The Web Proxy requires authentication credentials for some users depending on the
configured Identity and Access Policy groups. Users should enter the user name and password of the
credentials recognized by the organization’s authentication server.
When the Web Proxy uses NTLMSSP authentication with an NTLM authentication realm, users are
typically not prompted to enter a user name and password if single sign-on is configured correctly.
However, if users are prompted for authentication, they must type the name of their Windows domain
before their user name. For example, if user jsmith is on Windows domain MyDomain, then the user
should type the following text in the user name field:
typically not prompted to enter a user name and password if single sign-on is configured correctly.
However, if users are prompted for authentication, they must type the name of their Windows domain
before their user name. For example, if user jsmith is on Windows domain MyDomain, then the user
should type the following text in the user name field:
MyDomain\jsmith
However, if the Web Proxy uses Basic authentication for an NTLM authentication realm, then entering
the Windows domain is optional. If the user does not enter the Windows domain, then the Web Proxy
prepends the default Windows domain.
the Windows domain is optional. If the user does not enter the Windows domain, then the Web Proxy
prepends the default Windows domain.
Note
When the Web Proxy uses authentication with an LDAP authentication realm, ensure users do not enter
the Windows domain name.
the Windows domain name.
Working with Failed Authentication
Sometimes users are blocked from the web due to authentication failure. The following list describes
reasons for authentication failure and remedial actions you can take:
reasons for authentication failure and remedial actions you can take:
•
Client application cannot perform authentication. Some clients cannot perform authentication or
cannot perform the type of authentication that is required. If a client application causes
authentication to fail, you can define an Identity policy based on the user agent and exclude it from
requiring authentication. Or, you can define an Identity policy based on a custom URL category to
exclude all clients from requiring authentication when accessing particular URLs.
cannot perform the type of authentication that is required. If a client application causes
authentication to fail, you can define an Identity policy based on the user agent and exclude it from
requiring authentication. Or, you can define an Identity policy based on a custom URL category to
exclude all clients from requiring authentication when accessing particular URLs.