Cisco Cisco Web Security Appliance S680 Guía Del Usuario
5-4
AsyncOS 8.7 for Cisco Web Security Appliances User Guide
Chapter 5 Acquire End-User Credentials
Authentication Planning
Active Directory/Basic
Explicit Forward
Transparent, IP-Based Caching
Transparent, Cookie-Based Caching
Advantages:
•
Supported by all browsers and most
other applications
other applications
•
RFC-based
•
Minimal overhead
•
Works for HTTPS
(CONNECT) requests
(CONNECT) requests
•
Because the password is not
transmitted to the authentication
server, it is more secure
transmitted to the authentication
server, it is more secure
•
Connection is authenticated, not the
host or IP address
host or IP address
•
Achieves true single sign-on in an
Active Directory environment
when the client applications are
configured to trust the
Active Directory environment
when the client applications are
configured to trust the
Disadvantages:
•
Password sent as clear text
(Base64) for every request
(Base64) for every request
•
No single sign-on
•
Moderate overhead: each new
connection needs to be
re-authenticated
connection needs to be
re-authenticated
•
Primarily supported on Windows
only and with major browsers only
only and with major browsers only
Advantages:
•
Works with all major browsers
•
With user agents that do not
support authentication, users
only need to authenticate first in
a supported browser
support authentication, users
only need to authenticate first in
a supported browser
•
Relatively low overhead
•
Works for HTTPS requests if the
user has previously authenticated
with an HTTP request
user has previously authenticated
with an HTTP request
Disadvantages:
•
Authentication credentials are
associated with the IP address, not
the user (does not work in Citrix and
RDP environments, or if the user
changes IP address)
associated with the IP address, not
the user (does not work in Citrix and
RDP environments, or if the user
changes IP address)
•
No single sign-on
•
Password is sent as clear text
(Base64)
(Base64)
Advantages:
•
Works with all major browsers
•
Authentication is associated
with the user rather than the host
or IP address
with the user rather than the host
or IP address
Disadvantages:
•
Each new web domain requires the
entire authentication process
because cookies are domain specific
entire authentication process
because cookies are domain specific
•
Requires cookies to be enabled
•
Does not work for HTTPS requests
•
No single sign-on
•
Password is sent as clear text
(Base64)
(Base64)