Cisco Cisco Web Security Appliance S160 Guía Del Usuario
20-31
Cisco IronPort AsyncOS 7.7 for Web User Guide
Chapter 20 Authentication
NTLM Authentication
NTLM Authentication
The NT Lan Manager (NTLM) authenticates users with an encrypted challenge-response sequence that
occurs between the appliance and a Microsoft Windows domain controller. The NTLM
challenge-response handshake occurs when a web browser attempts to connect to the appliance and
before data is delivered.
occurs between the appliance and a Microsoft Windows domain controller. The NTLM
challenge-response handshake occurs when a web browser attempts to connect to the appliance and
before data is delivered.
When you configure an NTLM authentication realm, you do not specify the authentication scheme.
Instead, you choose the scheme when you use the realm in an Identity group. This allows you to choose
different schemes for different Identities. When you create or edit the Identity group, you can choose
one of the following schemes:
Instead, you choose the scheme when you use the realm in an Identity group. This allows you to choose
different schemes for different Identities. When you create or edit the Identity group, you can choose
one of the following schemes:
•
Use NTLMSSP
•
Use Basic or NTLMSSP
•
Use Basic
Note
AsyncOS for Web only supports 7-bit ASCII characters for passwords when using the Basic
authentication scheme. Basic authentication fails when the password contains characters that are not
7-bit ASCII.
authentication scheme. Basic authentication fails when the password contains characters that are not
7-bit ASCII.
Authenticating Users Against Multiple Active Directory Domains
An NTLM realm is configured to join one Active Directory domain. However, the Web Proxy can also
authenticate users against domains in either the same or a different forest when the following conditions
exist:
authenticate users against domains in either the same or a different forest when the following conditions
exist:
Attribute that Contains
the Group Name
the Group Name
When the group membership attribute is a DN, this specifies the attribute that
can be used as group name in policy group configurations.
can be used as group name in policy group configurations.
Choose one of the following values:
•
cn. A unique identifier in the LDAP directory that specifies the name of
a group.
a group.
•
custom. A custom identifier such as
FinanceGroup
.
Query String to
Determine if Object is
a Group
Determine if Object is
a Group
Choose an LDAP search filter that determines if an LDAP object represents a
user group.
user group.
Choose one of the following values:
•
objectclass=groupofnames
•
objectclass=groupofuniquenames
•
objectclass=group
•
custom. A custom filter such as
objectclass=person
.
Note: The query defines the set of authentication groups which can be used
in Web Security Manager policies.
in Web Security Manager policies.
Table 20-14
LDAP Group Authorization—User Object Settings (continued)
User Object Setting
Description