Cisco Cisco Web Security Appliance S170 Guía Del Usuario
20-39
Cisco IronPort AsyncOS 7.0 for Web User Guide
OL-23079-01
Chapter 20 Authentication
Allowing Users to Re-Authenticate
•
FTP over HTTP. The dilemma with accessing FTP servers using FTP over
HTTP is similar to accessing HTTPS sites. The Web Proxy must resolve the
user identity before assigning an Access Policy, but it cannot set the cookie
from the FTP transaction.
HTTP is similar to accessing HTTPS sites. The Web Proxy must resolve the
user identity before assigning an Access Policy, but it cannot set the cookie
from the FTP transaction.
Because of this, you should configure the appliance to use IP addresses as the
surrogate when credential encryption is enabled.
surrogate when credential encryption is enabled.
Note
Authentication does not work with HTTPS and FTP over HTTP requests when
credential encryption is enabled and configured to use cookies as the surrogate
type. Therefore, with this configuration setup, HTTPS and FTP over HTTP
requests only match Access Policies that do not require authentication. Typically,
they often match the global Access Policy since it never requires authentication.
credential encryption is enabled and configured to use cookies as the surrogate
type. Therefore, with this configuration setup, HTTPS and FTP over HTTP
requests only match Access Policies that do not require authentication. Typically,
they often match the global Access Policy since it never requires authentication.
Allowing Users to Re-Authenticate
AsyncOS for Web can block users from accessing different categories of websites
depending on who is trying to access a website. In these cases, users successfully
authenticate, but they are not authorized to access certain websites due to
configured URL filtering in the applicable Access Policy. You can allow these
authenticated users another opportunity to access the web if they fail
authorization.
depending on who is trying to access a website. In these cases, users successfully
authenticate, but they are not authorized to access certain websites due to
configured URL filtering in the applicable Access Policy. You can allow these
authenticated users another opportunity to access the web if they fail
authorization.
Note
Only authenticated users are allowed to re-authenticate, not unauthenticated
users.
users.
You might want to do this for shared workstations that have multiple users, but the
default account has limited access. If the default account on the workstation is
blocked from a website due to restrictive URL filtering, the user can enter
different authentication credentials that allow broader, more privileged access.
default account has limited access. If the default account on the workstation is
blocked from a website due to restrictive URL filtering, the user can enter
different authentication credentials that allow broader, more privileged access.
To do this, enable the “Enable Re-Authentication Prompt If End User Blocked by
URL Category or User Session Restriction” global authentication setting. The
user sees a block page that includes a link that allows them to enter new
authentication credentials. The Web Proxy evaluates those credentials against the
URL Category or User Session Restriction” global authentication setting. The
user sees a block page that includes a link that allows them to enter new
authentication credentials. The Web Proxy evaluates those credentials against the