Cisco Cisco Web Security Appliance S360 Guía Del Usuario
Chapter 7 Identities
Example Identity Policies Tables
7-32
Cisco IronPort AsyncOS 7.0 for Web User Guide
OL-23079-01
The Web Proxy matches client requests to Identity groups in this scenario
differently, depending on the client’s subnet and the URL category of the request:
differently, depending on the client’s subnet and the URL category of the request:
•
Any client on subnet 10.1.1.1 for any URL. When a client on subnet
10.1.1.1 sends a request for any URL, the Web Proxy evaluates the first
Identity group and determines that the client subnet matches the first Identity
group subnet. Then it determines that no authentication is required and no
advanced options are configured, so it assigns the first Identity group to the
transaction.
10.1.1.1 sends a request for any URL, the Web Proxy evaluates the first
Identity group and determines that the client subnet matches the first Identity
group subnet. Then it determines that no authentication is required and no
advanced options are configured, so it assigns the first Identity group to the
transaction.
•
Any client on a subnet other than 10.1.1.1 for URLs in the “Proxies &
Translators” URL category. When a client on a subnet other than 10.1.1.1
sends a request for a URL in the “Proxies & Translators” category, the Web
Proxy evaluates the first Identity group and determines that the client subnet
is not listed in the first Identity group’s list of subnets. Therefore, it evaluates
the second Identity group, and then determines that the client subnet is listed
in the second Identity group’s list of subnets. Then it determines that the URL
in the request matches the URL category in the second Identity group’s
advanced section. Then it determines that the second Identity group requires
authentication, so it tries to authenticate the user against the authentication
server(s) defined in RealmA. If the user exists in RealmA, the Web Proxy
assigns the second Identity group to the transaction. If the user does not exist
in RealmA, AsyncOS terminates the client request because the client failed
authentication.
Translators” URL category. When a client on a subnet other than 10.1.1.1
sends a request for a URL in the “Proxies & Translators” category, the Web
Proxy evaluates the first Identity group and determines that the client subnet
is not listed in the first Identity group’s list of subnets. Therefore, it evaluates
the second Identity group, and then determines that the client subnet is listed
in the second Identity group’s list of subnets. Then it determines that the URL
in the request matches the URL category in the second Identity group’s
advanced section. Then it determines that the second Identity group requires
authentication, so it tries to authenticate the user against the authentication
server(s) defined in RealmA. If the user exists in RealmA, the Web Proxy
assigns the second Identity group to the transaction. If the user does not exist
in RealmA, AsyncOS terminates the client request because the client failed
authentication.
•
Any client on a subnet other than 10.1.1.1 for any URL not in the
“Proxies & Translators” URL category. When a client on a subnet other
than 10.1.1.1 sends a request for a URL, the Web Proxy evaluates the first
Identity group and determines that the client subnet is not listed in the first
Identity group’s list of subnets. Therefore, it evaluates the second Identity
group, and then determines that the client subnet is listed in the second
Identity group’s list of subnets. Then it determines that the URL in the request
“Proxies & Translators” URL category. When a client on a subnet other
than 10.1.1.1 sends a request for a URL, the Web Proxy evaluates the first
Identity group and determines that the client subnet is not listed in the first
Identity group’s list of subnets. Therefore, it evaluates the second Identity
group, and then determines that the client subnet is listed in the second
Identity group’s list of subnets. Then it determines that the URL in the request
3
All
Yes
RealmA
none
Global Identity
policy
policy
All
(by default)
No
N/A
N/A (none by
default)
default)
Table 7-4
Policies Table Example 1 (continued)
Order
Subnet(s)
Authentication
Required?
Required?
Realm or
Sequence
Sequence
Advanced
Options
Options