Cisco Cisco Web Security Appliance S360 Guía Del Usuario
Chapter 7 Identities
Example Identity Policies Tables
7-34
Cisco IronPort AsyncOS 7.0 for Web User Guide
OL-23079-01
In this scenario, when a client sends a request for a URL, the Web Proxy evaluates
the first Identity group and determines that the Identity group applies to all
subnets and has no advanced options configured. It determines that the Identity
group requires authentication and that the only realm specified in the Identity
group is RealmA. Therefore, in order for a client on any subnet to pass
authentication, it must exist in RealmA.
the first Identity group and determines that the Identity group applies to all
subnets and has no advanced options configured. It determines that the Identity
group requires authentication and that the only realm specified in the Identity
group is RealmA. Therefore, in order for a client on any subnet to pass
authentication, it must exist in RealmA.
When a client that exists in RealmA sends a request for a URL, the client passes
authentication and the Web Proxy assigns the first Identity group to the
transaction. When a client that does not exist in RealmA sends a request for a
URL, the client fails authentication and the Web Proxy terminates the request.
authentication and the Web Proxy assigns the first Identity group to the
transaction. When a client that does not exist in RealmA sends a request for a
URL, the client fails authentication and the Web Proxy terminates the request.
Note that when a client in RealmB sends a request for a URL, the Web Proxy does
not match the client request with the second Identity group. This is because a
previous Identity group already applies to the same subnets (and the exact same
advanced options, which in this example is none) in the second Identity group and
it requires authentication, but from RealmA instead. Clients in RealmB do not
“fall through” to the second Identity group.
not match the client request with the second Identity group. This is because a
previous Identity group already applies to the same subnets (and the exact same
advanced options, which in this example is none) in the second Identity group and
it requires authentication, but from RealmA instead. Clients in RealmB do not
“fall through” to the second Identity group.
If you want users in RealmB to have different Access, Decryption, and Routing
Policy settings applied to them than users in RealmA, perform the following
steps:
Policy settings applied to them than users in RealmA, perform the following
steps:
Step 1
Create an authentication sequence that contains both RealmA and RealmB. You
can choose the order of the realms in the sequence depending on your business
needs.
can choose the order of the realms in the sequence depending on your business
needs.
Step 2
Create one Identity group and configure it for whichever subnets on which users
in RealmA and RealmB might exist. In this example, you would configure the
Identity group for all subnets.
in RealmA and RealmB might exist. In this example, you would configure the
Identity group for all subnets.
Step 3
Configure the Identity group to use the sequence you defined in step
Step 4
Create two user defined policy groups of the same type, such as Access Policies,
and configure them both to use the Identity group with the authentication
sequence you defined in step
and configure them both to use the Identity group with the authentication
sequence you defined in step
Step 5
Configure the first policy group to only apply to users in one realm, such as
RealmA. You can do this by specifying a particular realm in the sequence, or by
using authentication groups, or entering specific usernames.
RealmA. You can do this by specifying a particular realm in the sequence, or by
using authentication groups, or entering specific usernames.
Step 6
Configure the second policy group to only apply to users in the other realm, such
as RealmB. You can do this by specifying a particular realm in the sequence, or
by using authentication groups, or entering specific usernames.
as RealmB. You can do this by specifying a particular realm in the sequence, or
by using authentication groups, or entering specific usernames.