Cisco Cisco Web Security Appliance S160 Guía Del Usuario
H O W A U T H E N T I C A T I O N A F F E C T S H T T P S A N D F T P O V E R H T T P R E Q U E S T S
C H A P T E R 7 : I D E N T I T I E S
129
Consider the following rules and guidelines when creating and ordering Identity groups:
• Identity group order. All Identity groups that do not require authentication must be above
Identity groups that require authentication.
• Cookie-based authentication. When the appliance is configured to use cookie-based
authentication surrogates, it does not get cookie information from clients for HTTPS and
FTP over HTTP requests. Therefore, it cannot get the user name from the cookie. How
HTTPS and FTP over HTTP requests are matched against the Identity groups varies based
on other factors. For more information, see “How Authentication Affects HTTPS and FTP
over HTTP Requests” on page 129.
FTP over HTTP requests. Therefore, it cannot get the user name from the cookie. How
HTTPS and FTP over HTTP requests are matched against the Identity groups varies based
on other factors. For more information, see “How Authentication Affects HTTPS and FTP
over HTTP Requests” on page 129.
• Identity uniqueness. Verify the Identity group membership requirements are unique for
each Identity group. If two Identity groups require the exact same membership, then client
requests never match the lower Identity group. If any non-Identity policy uses the lower
Identity group, client requests never match that policy.
requests never match the lower Identity group. If any non-Identity policy uses the lower
Identity group, client requests never match that policy.
• Global Identity policy. The global Identity policy does not require authentication by
default when you create an authentication realm. If you want the global Identity policy to
require authentication, you must assign an authentication realm, authentication
sequence, or the All Realms sequence to the global Identity policy.
require authentication, you must assign an authentication realm, authentication
sequence, or the All Realms sequence to the global Identity policy.
For some examples of how the Web Proxy matches client requests to an Identity group for
different Identity policies tables, see “Example Identity Policies Tables” on page 145.
different Identity policies tables, see “Example Identity Policies Tables” on page 145.
How Authentication Affects HTTPS and FTP over HTTP Requests
How the Web Proxy matches HTTPS and FTP over HTTP requests with Identities depends on
the type of request (either explicitly forwarded or transparently redirected to the Web Proxy)
and the authentication surrogate type:
the type of request (either explicitly forwarded or transparently redirected to the Web Proxy)
and the authentication surrogate type:
• No authentication surrogates. The Web Proxy matches HTTPS and FTP over HTTP
requests with Identity groups the same way it matches HTTP requests. For a diagram of
how this occurs, see Figure 7-2 on page 133.
how this occurs, see Figure 7-2 on page 133.
• IP-based authentication surrogates and explicit requests. The Web Proxy matches HTTPS
and FTP over HTTP requests with Identity groups the same way it matches HTTP requests.
For a diagram of how this occurs, see Figure 7-2 on page 133.
For a diagram of how this occurs, see Figure 7-2 on page 133.
• IP-based authentication surrogates and transparent requests. The Web Proxy matches
FTP over HTTP requests with Identity groups the same way it matches HTTP requests. But
for HTTPS requests, the behavior is different, depending on whether or not the HTTPS
request comes from a client that has authentication information available from an earlier
HTTP request:
for HTTPS requests, the behavior is different, depending on whether or not the HTTPS
request comes from a client that has authentication information available from an earlier
HTTP request:
• Information available from a previous HTTP request. The Web Proxy matches HTTPS
requests with Identity groups the same way it matches HTTP requests. For a diagram of
how this occurs, see Figure 7-2 on page 133. HTTPS requests are treated with the
Identity associated with the IP address.
how this occurs, see Figure 7-2 on page 133. HTTPS requests are treated with the
Identity associated with the IP address.