Cisco Cisco Web Security Appliance S360 Notas de publicación
6
C I S C O I R O N P O R T A S Y N C O S 6 . 3 . 8 F O R W E B R E L E A S E N O T E S
Re-Authentication
In AsyncOS for Web 6.0, it is possible for a user to re-authenticate when blocked from
accessing a web site due to restrictive URL filtering. Users can enter different authentication
credentials that allow broader access. To do this, enable the “Enable Re-Authentication
Prompt If End User Blocked by URL Category” global authentication setting. This is useful in
many situations including, for example, authenticating users on a shared workstation, or
allowing a teacher to enter higher privileged credentials to provide access to restricted
websites to students for a limited time.
accessing a web site due to restrictive URL filtering. Users can enter different authentication
credentials that allow broader access. To do this, enable the “Enable Re-Authentication
Prompt If End User Blocked by URL Category” global authentication setting. This is useful in
many situations including, for example, authenticating users on a shared workstation, or
allowing a teacher to enter higher privileged credentials to provide access to restricted
websites to students for a limited time.
For more information, see the “Allowing Users to Re-Authentication” section in the
“Authentication” chapter of the IronPort AsyncOS for Web User Guide. You can view this
chapter in the PDF or the online help.
“Authentication” chapter of the IronPort AsyncOS for Web User Guide. You can view this
chapter in the PDF or the online help.
Guest Access (Failed Authentication)
Sometimes, users do not have an account in an organization’s user directory. Examples of
such users include visitors, contractors, interns, and students pursuing a short course.
AsyncOS for Web 6.0 allows you to define policies for these users who fail authentication due
to invalid credentials. Users who fail authentication and are granted access are logged in as
guests, and their activities are logged by user name (as entered by the user) or IP address with
a tag indicating the user was not authenticated.
such users include visitors, contractors, interns, and students pursuing a short course.
AsyncOS for Web 6.0 allows you to define policies for these users who fail authentication due
to invalid credentials. Users who fail authentication and are granted access are logged in as
guests, and their activities are logged by user name (as entered by the user) or IP address with
a tag indicating the user was not authenticated.
To grant guest access to users who fail authentication, you create an identity that requires
authentication, but also allows guest privileges. Then you create another policy using that
identity and apply that policy to the guest users. When users have guest access, they can
access the resources defined in the policy group that specifies guest access for that identity.
Typically, guest policies allow for limited access to web resources.
authentication, but also allows guest privileges. Then you create another policy using that
identity and apply that policy to the guest users. When users have guest access, they can
access the resources defined in the policy group that specifies guest access for that identity.
Typically, guest policies allow for limited access to web resources.
For more information, see the “Allowing Guest Access to Users Who Fail Authentication”
section in the “Identities” chapter of the IronPort AsyncOS for Web User Guide. You can view
this chapter in the PDF or the online help.
section in the “Identities” chapter of the IronPort AsyncOS for Web User Guide. You can view
this chapter in the PDF or the online help.
NTLM Authentication Caching
In previous versions, when the Web Security appliance used cookie-based NTLMSSP
authentication, users were authenticated against the Active Directory server every time they
made a request to a new domain. Now in AsyncOS for Web 6.0, the Web Security appliance
uses authentication caching to reduce the load on the Active Directory server. It does this by
adding a master cookie to the request when the user is authenticated for the first time.
Subsequent requests get authenticated by validating the cookie, and frequent requests to the
Active Directory server are avoided, improving overall authentication performance.
authentication, users were authenticated against the Active Directory server every time they
made a request to a new domain. Now in AsyncOS for Web 6.0, the Web Security appliance
uses authentication caching to reduce the load on the Active Directory server. It does this by
adding a master cookie to the request when the user is authenticated for the first time.
Subsequent requests get authenticated by validating the cookie, and frequent requests to the
Active Directory server are avoided, improving overall authentication performance.
Active Directory 2008 Support
AsyncOS for Web 6.0 supports Active Directory 2008, without requiring a domain controller
running Windows Server 2003 or older versions in the network.
running Windows Server 2003 or older versions in the network.
Surrogates in Explicit Forward Mode
In previous versions, you could configure authentication surrogates for tracking users in
transparent mode or when secure client authentication (now known as credential encryption)
transparent mode or when secure client authentication (now known as credential encryption)