Cisco Cisco Web Security Appliance S170 Guía Del Usuario
20-28
Cisco IronPort AsyncOS 7.7 for Web User Guide
Chapter 20 Authentication
Bypassing Authentication
Bypassing Authentication
Some client applications, such as some instant messaging applications or applets, and servers do not
handle authentication well. For example, some clients do not handle NTLMSSP at all, while others might
not strictly follow the authentication standard. When the Web Proxy processes transactions between
these applications or servers, authentication might fail.
handle authentication well. For example, some clients do not handle NTLMSSP at all, while others might
not strictly follow the authentication standard. When the Web Proxy processes transactions between
these applications or servers, authentication might fail.
You can work around these limitations by bypassing authentication for the affected clients and servers.
Step 1
Create a custom URL category that contains the affected websites by configuring the Advanced
properties.
properties.
Step 2
Create an Identity group that only applies to the affected client applications and the custom URL
category created in
category created in
Step 3
Place the Identity before all other Identities that require authentication.
Step 4
Configure the Identity so it does not require authentication.
Step 5
Use the Identity in other policy groups as needed.
LDAP Authentication
The Lightweight Directory Access Protocol (LDAP) server database is a repository for employee
directories. These directories include the names of employees along with various types of personal data
such as a phone number, email address, and other information that is exclusive to the individual
employee. The LDAP database is composed of objects containing attributes and values. Each object
name is referred to as a distinguished name (DN). The location on the LDAP server where a search
begins is called the Base Distinguished Name or base DN.
directories. These directories include the names of employees along with various types of personal data
such as a phone number, email address, and other information that is exclusive to the individual
employee. The LDAP database is composed of objects containing attributes and values. Each object
name is referred to as a distinguished name (DN). The location on the LDAP server where a search
begins is called the Base Distinguished Name or base DN.
The appliance supports standard LDAP server authentication and Secure LDAP authentication. Support
for LDAP allows established installations to continue using their LDAP server database to authenticate
users.
for LDAP allows established installations to continue using their LDAP server database to authenticate
users.
For Secure LDAP, the appliance supports LDAP connections over SSL. The SSL protocol is an industry
standard for ensuring confidentiality. SSL uses key encryption algorithms along with Certificate
Authority (CA) signed certificates to provide the LDAP servers a way to verify the identity of the
appliance.
standard for ensuring confidentiality. SSL uses key encryption algorithms along with Certificate
Authority (CA) signed certificates to provide the LDAP servers a way to verify the identity of the
appliance.
Note
AsyncOS for Web only supports 7-bit ASCII characters for passwords when using the Basic
authentication scheme. Basic authentication fails when the password contains characters that are not
7-bit ASCII.
authentication scheme. Basic authentication fails when the password contains characters that are not
7-bit ASCII.
Changing Active Directory Passwords
After Active Directory LDAP users change their account passwords, the Active Directory LDAP server
authenticates them with their current or previous password, depending on the Active Directory server
configuration.
authenticates them with their current or previous password, depending on the Active Directory server
configuration.
If you want users to only be able to authenticate with their new password, you can reboot the Active
Directory server or, you can wait for the Active Directory server to time out the old passwords.
Directory server or, you can wait for the Active Directory server to time out the old passwords.