Cisco Cisco Web Security Appliance S370 Guía Del Usuario
8-11
Cisco IronPort AsyncOS 7.7 for Web User Guide
Chapter 8 Identities
Allowing Guest Access to Users Who Fail Authentication
•
An employee from another branch location (or from an acquired company) comes to the corporate
headquarters, and needs Internet access. The user directories of the branch location (or acquired
company) and corporate headquarters are separate, so the employee’s credentials do not work in the
corporate headquarters.
headquarters, and needs Internet access. The user directories of the branch location (or acquired
company) and corporate headquarters are separate, so the employee’s credentials do not work in the
corporate headquarters.
•
A new hire has been provided credentials in an email but they are not yet populated in the
authentication server.
authentication server.
•
A user logs into a Windows workstation using a local account instead of a Windows domain account
and the user needs access to the Internet.
and the user needs access to the Internet.
The authentication server administrator in your organization can create a guest user account in the user
directory. However, allowing guest access through the Web Security appliance has the benefit that the
administrator does not have to communicate the guest credentials to every visitor.
directory. However, allowing guest access through the Web Security appliance has the benefit that the
administrator does not have to communicate the guest credentials to every visitor.
To grant guest access to users who fail authentication, you create an Identity that requires authentication,
but also allows guest privileges. Then you create another policy using that Identity and apply that policy
to the guest users. When users who fail authentication have guest access, they can access the resources
defined in the policy group that specifies guest access for that Identity.
but also allows guest privileges. Then you create another policy using that Identity and apply that policy
to the guest users. When users who fail authentication have guest access, they can access the resources
defined in the policy group that specifies guest access for that Identity.
A user who fails authentication has all transactions blocked if either of the following conditions are true:
•
Guest privileges are not provided in any Identity.
•
The user does not match any Identity that provides guest privileges.
A user who fails authentication has transactions allowed when all of the following conditions are true:
•
The user matches an Identity with guest privileges.
•
A non-Identity policy group uses that Identity and applies to guest users.
For example, you can create an Access or Decryption Policy that is specific to guest users.
Note
If an Identity allows guest access and there is no user defined policy group that uses that Identity, users
who fail authentication match the global policy for that policy type. For example, if MyIdentity allows
guest access and there is no user defined Access Policy that uses MyIdentity, users who fail
authentication match the global Access Policy. If you do not want guest users to match a global policy,
create a policy group above the global policy that applies to guest users and blocks all access.
who fail authentication match the global policy for that policy type. For example, if MyIdentity allows
guest access and there is no user defined Access Policy that uses MyIdentity, users who fail
authentication match the global Access Policy. If you do not want guest users to match a global policy,
create a policy group above the global policy that applies to guest users and blocks all access.
When the Web Proxy grants a user guest access, it identifies and logs the user as a guest in the access
logs. You can specify whether the Web Proxy identifies the user by IP address or user name. In the access
logs, reports, and end-user acknowledgement page, entries for guest users have one of the following
formats:
logs. You can specify whether the Web Proxy identifies the user by IP address or user name. In the access
logs, reports, and end-user acknowledgement page, entries for guest users have one of the following
formats:
•
(unauthenticated)IP_address
•
(unauthenticated)username_entered
You can enable guest access for an Identity that uses any authentication protocol or scheme.
Step 1
Define an Identity group and enable the Support Guest privileges option.
Step 2
Create an Access, Decryption, Routing, Data Security, or External DLP Policy and select the Identity
created in step
created in step
.
Step 3
In the Access, Decryption, Routing, Data Security, or External DLP Policy group membership, select
“Guests (users failing authentication)” for the Identity in step
“Guests (users failing authentication)” for the Identity in step
Step 4
Submit and commit your changes.