Cisco Cisco Web Security Appliance S680 Guía Del Usuario
7-33
Cisco IronPort AsyncOS 7.0 for Web User Guide
OL-23079-01
Chapter 7 Identities
Example Identity Policies Tables
does not match the URL category in the second Identity group’s advanced
section. Therefore, it evaluates the third Identity group, and then determines
that the client subnet is listed in the third Identity group’s list of subnets. The
third Identity group does not have any advanced options configured, so
continues to compare against authentication requirements. Then it determines
that the third Identity group requires authentication, so it tries to authenticate
the user against the authentication server(s) defined in RealmA. If the user
exists in RealmA, the Web Proxy assigns the third Identity group to the
transaction. If the user does not exist in RealmA, the Web Proxy terminates
the client request because the client failed authentication.
section. Therefore, it evaluates the third Identity group, and then determines
that the client subnet is listed in the third Identity group’s list of subnets. The
third Identity group does not have any advanced options configured, so
continues to compare against authentication requirements. Then it determines
that the third Identity group requires authentication, so it tries to authenticate
the user against the authentication server(s) defined in RealmA. If the user
exists in RealmA, the Web Proxy assigns the third Identity group to the
transaction. If the user does not exist in RealmA, the Web Proxy terminates
the client request because the client failed authentication.
Note that in this scenario, most client requests will never match the global Identity
group because of the user defined Identity group (the third group) that applies to
all subnets, has no advanced options, and requires authentication. Any client on
the network that does not match the first or second Identity group will match the
third Identity group. The exception to this is for HTTPS requests when the
appliance is in transparent mode with cookie-based authentication. Any client on
a subnet other than 10.1.1.1 will match the global Identity group even though it
requires authentication.
group because of the user defined Identity group (the third group) that applies to
all subnets, has no advanced options, and requires authentication. Any client on
the network that does not match the first or second Identity group will match the
third Identity group. The exception to this is for HTTPS requests when the
appliance is in transparent mode with cookie-based authentication. Any client on
a subnet other than 10.1.1.1 will match the global Identity group even though it
requires authentication.
Example 2
Identity group applies to all subnets, requires authentication, and specifies
RealmA for authentication. The second Identity group applies to all subnets,
requires authentication, and specifies RealmB for authentication. Neither Identity
group has any advanced option configured. The global Identity group applies to
all subnets, requires authentication, and specifies the All Realms sequence for
authentication.
RealmA for authentication. The second Identity group applies to all subnets,
requires authentication, and specifies RealmB for authentication. Neither Identity
group has any advanced option configured. The global Identity group applies to
all subnets, requires authentication, and specifies the All Realms sequence for
authentication.
Table 7-5
Policies Table Example 2
Order
Subnet(s)
Authentication
Required?
Required?
Realm or
Sequence
Sequence
Advanced
Options
Options
1
All
Yes
RealmA
none
2
All
Yes
RealmB
none
Global Identity
policy
policy
All
Yes
All Realms
N/A (none by
default)
default)