Cisco Cisco Web Security Appliance S370 Guía Del Usuario

An employee from another branch location (or from an acquired company) comes to the corporate 
headquarters, and needs Internet access. The user directories of the branch location (or acquired 
company) and corporate headquarters are separate, so the employee’s credentials do not work in the 
corporate headquarters.

A new hire has been provided credentials in an email but they are not yet populated in the 
authentication server. 

A user logs into a Windows workstation using a local account instead of a Windows domain account 
and the user needs access to the Internet.

The authentication server administrator in your organization can create a guest user account in the user 
directory. However, allowing guest access through the Web Security appliance has the benefit that the 
administrator does not have to communicate the guest credentials to every visitor.

To grant guest access to users who fail authentication, you create an Identity that requires authentication, 
but also allows guest privileges. Then you create another policy using that Identity and apply that policy 
to the guest users. When users who fail authentication have guest access, they can access the resources 
defined in the policy group that specifies guest access for that Identity.

A user who fails authentication has all transactions blocked if either of the following conditions are true:

Guest privileges are not provided in any Identity.

The user does not match any Identity that provides guest privileges.

A user who fails authentication has transactions allowed when all of the following conditions are true:

The user matches an Identity with guest privileges.

A non-Identity policy group uses that Identity and applies to guest users.

For example, you can create an Access or Decryption Policy that is specific to guest users. 

If an Identity allows guest access and there is no user defined policy group that uses that Identity, users 
who fail authentication match the global policy for that policy type. For example, if MyIdentity allows 
guest access and there is no user defined Access Policy that uses MyIdentity, users who fail 
authentication match the global Access Policy. If you do not want guest users to match a global policy, 
create a policy group above the global policy that applies to guest users and blocks all access.

When the Web Proxy grants a user guest access, it identifies and logs the user as a guest in the access 
logs. You can specify whether the Web Proxy identifies the user by IP address or user name. In the access 
logs, reports, and end-user acknowledgement page, entries for guest users have one of the following 
formats:

(unauthenticated)IP_address 

(unauthenticated)username_entered 

You can enable guest access for an Identity that uses any authentication protocol or scheme.

Define an Identity group and enable the Support Guest privileges option.

Create an Access, Decryption, Routing, Data Security, or External DLP Policy and select the Identity 
created in step 

.

In the Access, Decryption, Routing, Data Security, or External DLP Policy group membership, select 
“Guests (users failing authentication)” for the Identity in step 

Submit and commit your changes.