Cisco Cisco Web Security Appliance S160 Guía Del Usuario
8-11
Cisco IronPort AsyncOS 7.5 for Web User Guide
Chapter 8 Identities
Identifying Users Transparently
However, you can configure the Web Security appliance so that it identifies users by an authenticated
user name transparently—that is, without prompting the end user. Identification is a method of obtaining
user credentials that have been obtained from another trusted source. AsyncOS for Web assumes that the
username has already been authenticated by the trusted source providing the username.
user name transparently—that is, without prompting the end user. Identification is a method of obtaining
user credentials that have been obtained from another trusted source. AsyncOS for Web assumes that the
username has already been authenticated by the trusted source providing the username.
You might want to identify users transparently to:
•
Create a single sign-on environment so users are not aware of the presence of a proxy on the
network.
network.
•
Use authentication based policies to apply to transactions coming from client applications that are
incapable of displaying the authentication prompt to end users.
incapable of displaying the authentication prompt to end users.
Identifying users transparently only affects how the Web Proxy obtains the user name and assigns an
Identity group. After it obtains the user name and assigns an Identity, it applies all other policies
normally, regardless of how it assigned the Identity.
Identity group. After it obtains the user name and assigns an Identity, it applies all other policies
normally, regardless of how it assigned the Identity.
To identify users transparently, complete the following basic steps:
1.
Define at least one authentication realm that supports transparent user identification. For more
information, see
information, see
.
2.
Create an Identity group that identifies user transparently, and then specify the authentication realm
created in the previous step.
created in the previous step.
Note
You can also transparently identify remote users when using Secure Mobility Solution. For more
information, see
information, see
.
Understanding Transparent User Identification
You can identify users transparently using one of the following authentication servers:
•
Active Directory. Create an NTLM authentication realm and enable transparent user identification.
In addition, you must deploy a separate utility called the Cisco Active Directory Agent (AD Agent).
For more information, see
In addition, you must deploy a separate utility called the Cisco Active Directory Agent (AD Agent).
For more information, see
•
Novell eDirectory. Create an LDAP authentication realm that supports Novell eDirectory. For more
information, see
information, see
.
AsyncOS for Web works with either Novell eDirectory or the Active Directory Agent to maintain a
mapping that matches authenticated user names to their current IP addresses. AsyncOS for Web
communicates with the Novell eDirectory server and the Active Directory Agent at regular intervals to
maintain the current IP address to user name mapping.
mapping that matches authenticated user names to their current IP addresses. AsyncOS for Web
communicates with the Novell eDirectory server and the Active Directory Agent at regular intervals to
maintain the current IP address to user name mapping.
The following steps are followed when transparent user identification is enabled:
1.
Client makes a request for a website.
2.
Web Security appliance receives the client request and obtains the IP address from the request.
3.
AsyncOS for Web checks the IP address to user name mapping stored on the Web Security appliance
to assign a user name to the client request. If no match is found for transparent user identification
with Active Directory, AsyncOS for Web then contacts the Active Directory Agent to find a matched
user name.
to assign a user name to the client request. If no match is found for transparent user identification
with Active Directory, AsyncOS for Web then contacts the Active Directory Agent to find a matched
user name.
4.
Assuming it matches a user name to the IP address, AsyncOS for Web fetches the user groups from
the Novell eDirectory server or Active Directory Server.
the Novell eDirectory server or Active Directory Server.
5.
AsyncOS for Web applies policies to the transaction as appropriate.