Cisco Cisco Web Security Appliance S170 Guía Del Usuario
20-32
Cisco IronPort AsyncOS 7.7.5 for Web User Guide
Chapter 20 Authentication
Supported Authentication Characters
•
When all Active Directory domains exist in the same forest, there must be a trust relationship among
all domains in the forest.
all domains in the forest.
•
When an Active Directory domain exists in a different forest, the domain that the Web Security
appliance joins must have at least a one way trust with the domain where the users belong.
appliance joins must have at least a one way trust with the domain where the users belong.
AsyncOS allows you to create up to 10 NTLM authentication realms. You might want to create multiple
NTLM realms when the Web Proxy must authenticate users in different Active Directory forests that do
not have mutual trust with another forest.
NTLM realms when the Web Proxy must authenticate users in different Active Directory forests that do
not have mutual trust with another forest.
Note
To create multiple NTLM realms, the client IP addresses in one NTLM realm must not overlap with the
client IP addresses in another NTLM realm.
client IP addresses in another NTLM realm.
When you define policy group membership by group name, the web interface only displays Active
Directory groups in the domain where AsyncOS created a computer account when joining the domain.
To create a policy group for users in a different domain, manually enter the domain and group name in
the web interface.
Directory groups in the domain where AsyncOS created a computer account when joining the domain.
To create a policy group for users in a different domain, manually enter the domain and group name in
the web interface.
Note
Cisco recommends creating as few NTLM realms as necessary. Creating multiple NTLM realms requires
additional memory usage for authentication.
additional memory usage for authentication.
Supported Authentication Characters
This section lists the characters the Web Security appliance supports when it communicates with LDAP
and Active Directory servers. For authentication to work properly, verify that your authentication servers
only use the supported characters listed in this section.
and Active Directory servers. For authentication to work properly, verify that your authentication servers
only use the supported characters listed in this section.
For example, according to
Table 20-15
, the appliance can validate users with the following Active
Directory user name:
jsmith#123
And according to
Table 20-15
, the appliance cannot validate users with the following Active Directory
user name:
jsmith+
Active Directory Server Supported Characters
Table 20-15
lists the characters the Web Security appliance supports for the User Name field for Active
Directory servers.
Table 20-15
Supported Active Directory Server Characters — User Name Field
Supported Characters
Characters Not Supported
A...Z a...z
0 1 2 3 4 5 6 7 8 9
` ~ ! # $ % ^ & ( ) _ - { } ' . @
space
/ \ [ ] : ; | = , + * ? < > "