Cisco Cisco Web Security Appliance S160 Guía Del Usuario
5-9
AsyncOS 9.2 for Cisco Web Security Appliances User Guide
Chapter 5 Acquire End-User Credentials
Authentication Planning
•
You can configure how the Web Proxy handles transactions when transparent user identification
fails. It can grant users guest access, or it can force an authentication prompt to appear to end users.
fails. It can grant users guest access, or it can force an authentication prompt to appear to end users.
•
When a user is shown an authentication prompt due to failed transparent user identification, and the
user then fails authentication due to invalid credentials, you can choose whether to allow the user
guest access.
user then fails authentication due to invalid credentials, you can choose whether to allow the user
guest access.
•
When the assigned Identification Profile uses an authentication sequence with multiple realms in
which the user exists, AsyncOS for Web fetches the user groups from the realms in the order in
which they appear in the sequence.
which the user exists, AsyncOS for Web fetches the user groups from the realms in the order in
which they appear in the sequence.
•
When you configure an Identification Profile to transparently identify users, the authentication
surrogate must be IP address. You cannot select a different surrogate type.
surrogate must be IP address. You cannot select a different surrogate type.
•
When you view detailed transactions for users, the Web Tracking page shows which users were
identified transparently.
identified transparently.
•
You can log which users were identified transparently in the access and WC3 logs using the
%m
and
x-auth-mechanism
custom fields. A log entry of
SSO_TUI
indicates that the user name was obtained
by matching the client IP address to an authenticated user name using transparent user identification.
(Similarly, a value of
(Similarly, a value of
SSO_ASA
indicates that the user is a remote user and the user name was obtained
from a Cisco ASA using AnyConnect Secure Mobility.)
Configuring Transparent User Identification
Configuring transparent user identification and authorization is detailed in
•
Create and order authentication realms.
•
Create Identification Profiles to classify users and client software.
•
Create policies to manage web requests from the identified users and user groups.
Using the CLI to Configure Advanced Transparent User Identification Settings
AsyncOS for Web provides the following TUI-related CLI commands:
•
tuiconfig
– Configure advanced settings associated with transparent user identification. Batch
mode can be used to configure multiple parameters simultaneously.
–
Configure mapping timeout for Active Directory agent
– Length of time, in minutes,
IP-address-to-user mappings are cached for IP addresses retrieved by the AD agent when there
are no updates from the agent.
are no updates from the agent.
–
Configure proxy cache timeout for Active Directory agent
– Length of time, in seconds,
proxy-specific IP-address-to-user mappings are cached; valid values range from five to 1200
seconds. The default and recommended value is 120 seconds. Specifying a lower value may
negatively affect proxy performance.
seconds. The default and recommended value is 120 seconds. Specifying a lower value may
negatively affect proxy performance.
–
Configure mapping timeout for Novell eDirectory
– Length of time, in seconds, IP-address
to-user mappings are cached for IP addresses retrieved from the eDirectory server when there
are no updates from the server.
are no updates from the server.
–
Configure query wait time for Active Directory agent
– The length of time, in seconds,
to wait for a reply from the Active Directory agent. When the query takes more than this value,
transparent user identification is considered to have failed. This limits the authentication delay
experienced by the end user.
transparent user identification is considered to have failed. This limits the authentication delay
experienced by the end user.