Cisco Cisco Web Security Appliance S160 Guía Del Usuario
8-26
Cisco IronPort AsyncOS 7.5 for Web User Guide
Chapter 8 Identities
Example Identity Policies Tables
Example 2
shows a policies table with two user defined Identity groups. The first Identity group applies
to all subnets, requires authentication, and specifies RealmA for authentication. The second Identity
group applies to all subnets, requires authentication, and specifies RealmB for authentication. Neither
Identity group has any advanced option configured. The global Identity group applies to all subnets,
requires authentication, and specifies the All Realms sequence for authentication.
group applies to all subnets, requires authentication, and specifies RealmB for authentication. Neither
Identity group has any advanced option configured. The global Identity group applies to all subnets,
requires authentication, and specifies the All Realms sequence for authentication.
In this scenario, when a client sends a request for a URL, the Web Proxy evaluates the first Identity group
and determines that the Identity group applies to all subnets and has no advanced options configured. It
determines that the Identity group requires authentication and that the only realm specified in the
Identity group is RealmA. Therefore, in order for a client on any subnet to pass authentication, it must
exist in RealmA.
and determines that the Identity group applies to all subnets and has no advanced options configured. It
determines that the Identity group requires authentication and that the only realm specified in the
Identity group is RealmA. Therefore, in order for a client on any subnet to pass authentication, it must
exist in RealmA.
When a client that exists in RealmA sends a request for a URL, the client passes authentication and the
Web Proxy assigns the first Identity group to the transaction. When a client that does not exist in RealmA
sends a request for a URL, the client fails authentication and the Web Proxy terminates the request.
Web Proxy assigns the first Identity group to the transaction. When a client that does not exist in RealmA
sends a request for a URL, the client fails authentication and the Web Proxy terminates the request.
Note that when a client in RealmB sends a request for a URL, the Web Proxy does not match the client
request with the second Identity group. This is because a previous Identity group already applies to the
same subnets (and the exact same advanced options, which in this example is none) in the second Identity
group and it requires authentication, but from RealmA instead. Clients in RealmB do not “fall through”
to the second Identity group.
request with the second Identity group. This is because a previous Identity group already applies to the
same subnets (and the exact same advanced options, which in this example is none) in the second Identity
group and it requires authentication, but from RealmA instead. Clients in RealmB do not “fall through”
to the second Identity group.
If you want users in RealmB to have different Access, Decryption, and Routing Policy settings applied
to them than users in RealmA, perform the following steps:
to them than users in RealmA, perform the following steps:
Step 1
Create an authentication sequence that contains both RealmA and RealmB. You can choose the order of
the realms in the sequence depending on your business needs.
the realms in the sequence depending on your business needs.
Step 2
Create one Identity group and configure it for whichever subnets on which users in RealmA and RealmB
might exist. In this example, you would configure the Identity group for all subnets.
might exist. In this example, you would configure the Identity group for all subnets.
Step 3
Configure the Identity group to use the sequence you defined in step
Step 4
Create two user defined policy groups of the same type, such as Access Policies, and configure them
both to use the Identity group with the authentication sequence you defined in step
both to use the Identity group with the authentication sequence you defined in step
Step 5
Configure the first policy group to only apply to users in one realm, such as RealmA. You can do this by
specifying a particular realm in the sequence, or by using authentication groups, or entering specific
usernames.
specifying a particular realm in the sequence, or by using authentication groups, or entering specific
usernames.
Step 6
Configure the second policy group to only apply to users in the other realm, such as RealmB. You can
do this by specifying a particular realm in the sequence, or by using authentication groups, or entering
specific usernames.
do this by specifying a particular realm in the sequence, or by using authentication groups, or entering
specific usernames.
Table 8-5
Policies Table Example 2
Order
Subnet(s)
Authentication
Required?
Required?
Realm or
Sequence
Sequence
Advanced Options
1
All
Yes
RealmA
none
2
All
Yes
RealmB
none
Global Identity
policy
policy
All
Yes
All Realms
N/A (none by default)