Cisco Cisco Web Security Appliance S170 Guía Del Usuario
20-6
Cisco IronPort AsyncOS 7.7 for Web User Guide
Chapter 20 Authentication
Understanding How Authentication Works
describes the different authentication scenarios you can configure between the Web Security
appliance and the client and between the Web Security appliance and the authentication server.
Web Proxy deployment also affects how authentication works in each of the scenarios described in
. For more information, see
.
Basic versus NTLMSSP Authentication Schemes
When you configure an Identity group to use authentication, you choose the authentication scheme,
either Basic or NTLMSSP. The authentication scheme affects the user experience and the security of
users’ passwords.
either Basic or NTLMSSP. The authentication scheme affects the user experience and the security of
users’ passwords.
describes the differences between Basic and NTLMSSP authentication schemes.
Table 20-1
Web Security Appliance Authentication Scenarios
Client to Web Security
Appliance
Appliance
Web Security Appliance to
Authentication Server
Authentication Server
Authentication Server Type
Basic LDAP
LDAP
server
Basic
LDAP
Active Directory server using LDAP
Basic
NTLM
Active Directory server using NTLM
NTLMSSP
NTLM
Active Directory server using NTLM
Table 20-2
Basic versus NTLMSSP Authentication Schemes
Authentication
Scheme
Scheme
User Experience
Security
Basic
The client always prompts users for
credentials. After the user enters
credentials, browsers typically offer a
check box to remember the provided
credentials. Each time the user opens the
browser, the client either prompts for
credentials or resends the previously
saved credentials.
credentials. After the user enters
credentials, browsers typically offer a
check box to remember the provided
credentials. Each time the user opens the
browser, the client either prompts for
credentials or resends the previously
saved credentials.
Credentials are sent unsecured as clear
text (Base64). A packet capture between
the client and Web Security appliance can
reveal the user name and password.
text (Base64). A packet capture between
the client and Web Security appliance can
reveal the user name and password.
Note: You can configure the Web Security
appliance so clients send authentication
credentials securely. For more
information, see
appliance so clients send authentication
credentials securely. For more
information, see
.
NTLMSSP
The client transparently authenticates by
using its Windows login credentials. The
user is not prompted for credentials.
using its Windows login credentials. The
user is not prompted for credentials.
However, the client prompts the user for
credentials under the following
circumstances:
credentials under the following
circumstances:
•
The Windows credentials failed.
•
The client does not trust the Web
Security appliance because of
browser security settings.
Security appliance because of
browser security settings.
Credentials are sent securely using a
three-way handshake (digest style
authentication). The password is never
sent across the connection.
three-way handshake (digest style
authentication). The password is never
sent across the connection.
For more information on the three-way
handshake, see
handshake, see
.