Cisco Cisco Web Security Appliance S370 Guía Del Usuario
20-25
Cisco IronPort AsyncOS 7.7 for Web User Guide
Chapter 20 Authentication
Allowing Users to Re-Authenticate
•
FTP over HTTP. The dilemma with accessing FTP servers using FTP over HTTP is similar to
accessing HTTPS sites. The Web Proxy must resolve the user identity before assigning an Access
Policy, but it cannot set the cookie from the FTP transaction.
accessing HTTPS sites. The Web Proxy must resolve the user identity before assigning an Access
Policy, but it cannot set the cookie from the FTP transaction.
Because of this, you should configure the appliance to use IP addresses as the surrogate when credential
encryption is enabled.
encryption is enabled.
Note
Authentication does not work with HTTPS and FTP over HTTP requests when credential encryption is
enabled and configured to use cookies as the surrogate type. Therefore, with this configuration setup,
HTTPS and FTP over HTTP requests only match Access Policies that do not require authentication.
Typically, they often match the global Access Policy since it never requires authentication.
enabled and configured to use cookies as the surrogate type. Therefore, with this configuration setup,
HTTPS and FTP over HTTP requests only match Access Policies that do not require authentication.
Typically, they often match the global Access Policy since it never requires authentication.
Allowing Users to Re-Authenticate
AsyncOS for Web can block users from accessing different categories of websites depending on who is
trying to access a website. In these cases, users successfully authenticate, but they are not authorized to
access certain websites due to configured URL filtering in the applicable Access Policy. You can allow
these authenticated users another opportunity to access the web if they fail authorization.
trying to access a website. In these cases, users successfully authenticate, but they are not authorized to
access certain websites due to configured URL filtering in the applicable Access Policy. You can allow
these authenticated users another opportunity to access the web if they fail authorization.
Note
Only authenticated users are allowed to re-authenticate, not unauthenticated users.
You might want to do this for shared workstations that have multiple users, but the default account has
limited access. If the default account on the workstation is blocked from a website due to restrictive URL
filtering, the user can enter different authentication credentials that allow broader, more privileged
access.
limited access. If the default account on the workstation is blocked from a website due to restrictive URL
filtering, the user can enter different authentication credentials that allow broader, more privileged
access.
To do this, enable the “Enable Re-Authentication Prompt If End User Blocked by URL Category or User
Session Restriction” global authentication setting. The user sees a block page that includes a link that
allows them to enter new authentication credentials. The Web Proxy evaluates those credentials against
the authentication realms defined in the applicable Identity group, and if the new credentials allow
greater access, the requested page appears in the browser. For more information, see
Session Restriction” global authentication setting. The user sees a block page that includes a link that
allows them to enter new authentication credentials. The Web Proxy evaluates those credentials against
the authentication realms defined in the applicable Identity group, and if the new credentials allow
greater access, the requested page appears in the browser. For more information, see
.
Note
The Web Proxy evaluates the new credentials against the authentication realms defined in the applicable
Identity group only. It does not compare them against all other Identity groups.
Identity group only. It does not compare them against all other Identity groups.
When a more privileged user authenticates and gets access, the Web Proxy caches the privileged user
identity for different amounts of time depending on the authentication surrogates configured:
identity for different amounts of time depending on the authentication surrogates configured:
•
Session cookie. The privileged user identity is used until the browser is closed or the session times
out.
out.
•
Persistent cookie. The privileged user identity is used until the surrogate times out.
•
IP address. The privileged user identity is used until the surrogate times out.
•
No surrogate. By default, the Web Proxy requests authentication for every new connection, but
when re-authentication is enabled, the Web Proxy requests authentication for every new request, so
there is an increased load on the authentication server when using NTLMSSP. Most browsers will
cache the privileged user credentials and authenticate without prompting the user until the browser
when re-authentication is enabled, the Web Proxy requests authentication for every new request, so
there is an increased load on the authentication server when using NTLMSSP. Most browsers will
cache the privileged user credentials and authenticate without prompting the user until the browser