Cisco Cisco Web Security Appliance S680 Guía Del Usuario
8-12
Cisco IronPort AsyncOS 7.7 for Web User Guide
Chapter 8 Identities
Identifying Users Transparently
Note
You can configure the Web Proxy to request authentication again if an authenticated user is blocked from
a website due to restrictive URL filtering. To do this, enable the “Enable Re-Authentication Prompt If
End User Blocked by URL Category or User Session Restriction” global authentication setting. For more
information, see
a website due to restrictive URL filtering. To do this, enable the “Enable Re-Authentication Prompt If
End User Blocked by URL Category or User Session Restriction” global authentication setting. For more
information, see
.
Identifying Users Transparently
Traditionally, users identified by an authentication user name are prompted to enter a user name and
password. The credentials the user enters are then validated against an authentication server, and then
the Web Proxy applies the appropriate policies to the transaction based on the authenticated user name.
password. The credentials the user enters are then validated against an authentication server, and then
the Web Proxy applies the appropriate policies to the transaction based on the authenticated user name.
However, you can configure the Web Security appliance so that it identifies users by an authenticated
user name transparently—that is, without prompting the end user. Identification is a method of obtaining
user credentials that have been obtained from another trusted source. AsyncOS for Web assumes that the
username has already been authenticated by the trusted source providing the username.
user name transparently—that is, without prompting the end user. Identification is a method of obtaining
user credentials that have been obtained from another trusted source. AsyncOS for Web assumes that the
username has already been authenticated by the trusted source providing the username.
You might want to identify users transparently to:
•
Create a single sign-on environment so users are not aware of the presence of a proxy on the
network.
network.
•
Use authentication based policies to apply to transactions coming from client applications that are
incapable of displaying the authentication prompt to end users.
incapable of displaying the authentication prompt to end users.
Identifying users transparently only affects how the Web Proxy obtains the user name and assigns an
Identity group. After it obtains the user name and assigns an Identity, it applies all other policies
normally, regardless of how it assigned the Identity.
Identity group. After it obtains the user name and assigns an Identity, it applies all other policies
normally, regardless of how it assigned the Identity.
To identify users transparently, complete the following basic steps:
1.
Define at least one authentication realm that supports transparent user identification. For more
information, see
information, see
.
2.
Create an Identity group that identifies user transparently, and then specify the authentication realm
created in the previous step.
created in the previous step.
Note
You can also transparently identify remote users when using Secure Mobility. For more information, see
.
Understanding Transparent User Identification
You can identify users transparently using one of the following authentication servers:
•
An Active Directory agent . Create an NTLM authentication realm and enable transparent user
identification. In addition, you must deploy a separate Active Directory agent utility. Cisco
recommends Cisco Context Directory Agent. For more information, see
identification. In addition, you must deploy a separate Active Directory agent utility. Cisco
recommends Cisco Context Directory Agent. For more information, see
.
•
Novell eDirectory. Create an LDAP authentication realm that supports Novell eDirectory. For more
information, see
information, see
.