Cisco Cisco Web Security Appliance S160 Guía Del Usuario
7-8
Cisco IronPort AsyncOS 7.5 for Web User Guide
Chapter 7 Working with Policies
Policy Group Membership
By separating authentication from authorization, you can create a single Identity group that identifies a
group of users and then you can create multiple policy groups that allow different levels of access to
subsets of users in the group in the Identity.
group of users and then you can create multiple policy groups that allow different levels of access to
subsets of users in the group in the Identity.
For example, you can create one Identity group that covers all users in an authentication sequence. Then
you can create an Access Policy group for each authentication realm in the sequence. You can also use
this Identity to create one Decryption Policy with the same level of access for all users in the Identity.
you can create an Access Policy group for each authentication realm in the sequence. You can also use
this Identity to create one Decryption Policy with the same level of access for all users in the Identity.
Working with Failed Authentication and Authorization
You can allow users another opportunity to access the web if they fail authentication or authorization.
How you configure the Web Security appliance depends on what fails:
How you configure the Web Security appliance depends on what fails:
•
Authentication. When authentication fails, you can grant guest access to the user. Authentication
might fail under the following circumstances:
might fail under the following circumstances:
–
A new hire has been provided credentials in an email but they are not yet populated in the
authentication server.
authentication server.
–
A visitor comes to the office and needs to be granted restrictive Internet access, but is not in the
corporate user directory.
corporate user directory.
For more information on configuring guest access, see
•
Authorization. A user might authenticate correctly, but not be granted access to the web due to the
applicable Access Policy. In this case, you can allow the user to re-authenticate with more privileged
credentials. To do this, enable the “Enable Re-Authentication Prompt If End User Blocked by URL
Category or User Session Restriction” global authentication setting. For more information, see
applicable Access Policy. In this case, you can allow the user to re-authenticate with more privileged
credentials. To do this, enable the “Enable Re-Authentication Prompt If End User Blocked by URL
Category or User Session Restriction” global authentication setting. For more information, see
.
Working with All Identities
You can create a policy group that specifies “All Identities” as the configured Identity group. “All
Identities” applies to every valid client request because by definition, every request either succeeds and
has a user defined or global Identity assigned to it or is terminated because it fails authentication (and
no guest access was provided for users failing authentication).
Identities” applies to every valid client request because by definition, every request either succeeds and
has a user defined or global Identity assigned to it or is terminated because it fails authentication (and
no guest access was provided for users failing authentication).
When you create a policy group that uses All Identities, you must configure at least one advanced option
to distinguish the policy group from the global policy group.
to distinguish the policy group from the global policy group.
Typically, you use All Identities in a policy while also configuring an advanced option, such as a
particular user agent or destination (using a custom URL category). This allows you to create a single
rule that makes an exception for a specific case instead of creating multiple rules to make the exception
for the specific case. For example, you can create an Access Policy group whose membership applies to
All Identities and a custom URL category for all intranet pages. Then you can configure the Access
Policy control settings to disable anti-malware filtering and Web Reputation scoring.
particular user agent or destination (using a custom URL category). This allows you to create a single
rule that makes an exception for a specific case instead of creating multiple rules to make the exception
for the specific case. For example, you can create an Access Policy group whose membership applies to
All Identities and a custom URL category for all intranet pages. Then you can configure the Access
Policy control settings to disable anti-malware filtering and Web Reputation scoring.
Policy Group Membership Rules and Guidelines
Consider the following rules and guidelines when defining policy group membership:
•
The Web Proxy evaluates Identity groups before the other policy types.
•
Subnet membership criteria defined in the Identity group can be further narrowed down in the policy
group using the Identity group.
group using the Identity group.