Cisco Cisco Web Security Appliance S170 Guía Del Usuario
21-9
Cisco IronPort AsyncOS 7.5.7 for Web User Guide
Chapter 21 Authentication
Understanding How Authentication Works
lists advantages and disadvantages of using transparent Basic authentication and
cookie-based credential caching.
Explicit Forward Deployment, NTLM Authentication
The Web Proxy uses a third party challenge and response system to authenticate users on the network.
The authentication process comprises these steps:
Step 1
Client sends a request to the Web Proxy to connect to a web page.
Step 2
Web Proxy responds with a 407 HTTP response “Proxy Authentication Required.”
Step 3
Clients repeats request and includes a “Proxy-Authorization” HTTP header with an NTLM “negotiate”
message.
message.
Step 4
Web Proxy responds with a 407 HTTP response and an NTLM “challenge” message based on the
negotiate message from the client.
negotiate message from the client.
Step 5
Client repeats the request and includes a response to the challenge message.
Note
The client uses an algorithm based on its password to modify the challenge and sends the
challenge response to the Web Proxy.
challenge response to the Web Proxy.
Step 6
Web Proxy passes the authentication information to the Active Directory server. The Active Directory
server then verifies that the client used the correct password based on whether or not it modified the
challenge string appropriately.
server then verifies that the client used the correct password based on whether or not it modified the
challenge string appropriately.
Step 7
If the challenge response passes, the Web Proxy returns the requested web page.
Note
Additional requests on the same TCP connection do not need to be authenticated again with the Active
Directory server.
Directory server.
Table 21-6
Pros and Cons of Transparent Basic Authentication—Cookie Caching
Advantages
Disadvantages
•
Works with all major browsers
•
Authentication is associated with
the user rather than the host or IP
address
the user rather than the host or IP
address
•
Each new web domain requires the entire authentication
process because cookies are domain specific
process because cookies are domain specific
•
Requires cookies to be enabled
•
Does not work for HTTPS requests
•
No single sign-on
•
Password is sent as clear text (Base64)