Cisco Cisco Web Security Appliance S370 Guía Del Usuario
8-13
Cisco IronPort AsyncOS 7.7 for Web User Guide
Chapter 8 Identities
Identifying Users Transparently
AsyncOS for Web works with either Novell eDirectory or an Active Directory agent to maintain a
mapping that matches authenticated user names to their current IP addresses. AsyncOS for Web
communicates with the Novell eDirectory server and an Active Directory agent at regular intervals to
maintain the current IP address to user name mapping.
mapping that matches authenticated user names to their current IP addresses. AsyncOS for Web
communicates with the Novell eDirectory server and an Active Directory agent at regular intervals to
maintain the current IP address to user name mapping.
The following steps are followed when transparent user identification is enabled:
1.
Client makes a request for a website.
2.
Web Security appliance receives the client request and obtains the IP address from the request.
3.
AsyncOS for Web checks the IP address to user name mapping stored on the Web Security appliance
to assign a user name to the client request. If no match is found for transparent user identification
with Active Directory, AsyncOS for Web then contacts an Active Directory agent to find a matched
user name.
to assign a user name to the client request. If no match is found for transparent user identification
with Active Directory, AsyncOS for Web then contacts an Active Directory agent to find a matched
user name.
4.
Assuming it matches a user name to the IP address, AsyncOS for Web fetches the user groups from
the Novell eDirectory server or Active Directory Server.
the Novell eDirectory server or Active Directory Server.
5.
AsyncOS for Web applies policies to the transaction as appropriate.
If the IP address does not match a user name, you can configure how to handle the transaction. You can
grant the end user guest access, or you can force an authentication prompt to appear to the end user.
grant the end user guest access, or you can force an authentication prompt to appear to the end user.
When an end user is shown an authentication prompt due to failed transparent user identification, and
the user then fails authentication due to invalid credentials, you can choose whether to allow the user
guest access.
the user then fails authentication due to invalid credentials, you can choose whether to allow the user
guest access.
shows where you grant user access when configuring an Identity for transparent
user identification.
Figure 8-3
Granting Guest Access—Transparent User Identification
The current IP address to user name mapping is updated, by default, every 600 seconds. You can change
this time interval using the
this time interval using the
tuiconfig
CLI command. For more information, see
.
Note
When you enable re-authentication and a transaction is blocked by URL filtering, an end-user
notification page appears with the option to log in as a different user. Users who click the link are
prompted for authentication. For more information, see
notification page appears with the option to log in as a different user. Users who click the link are
prompted for authentication. For more information, see
.
Transparent User Identification with Active Directory
Active Directory does not record user login event information in a method that is easily queried by other
servers, such as the Web Security appliance. However, Cisco offers the Cisco Context Directory Agent
that queries the Active Directory security event logs to maintain an IP address to user name mapping of
users authenticated with Active Directory. Active Directory agents, including Cisco Context Directory
Agent and others, act as a type of identity repository.
servers, such as the Web Security appliance. However, Cisco offers the Cisco Context Directory Agent
that queries the Active Directory security event logs to maintain an IP address to user name mapping of
users authenticated with Active Directory. Active Directory agents, including Cisco Context Directory
Agent and others, act as a type of identity repository.