Cisco Cisco Web Security Appliance S160 Guía Del Usuario
5-7
AsyncOS 9.1 for Cisco Web Security Appliances User Guide
Chapter 5 Acquire End-User Credentials
Authentication Planning
AsyncOS for Web communicates at regular intervals with eDirectory or an Active Directory agent
to maintain mappings that match authenticated user names to their current IP addresses.
to maintain mappings that match authenticated user names to their current IP addresses.
Transparent User Identification with Active Directory
Active Directory does not record user log-in information in a format that is easily queried by other
systems such as the Web Security appliance. Active Directory agents, such as Cisco’s Context
Directory Agent (CDA), are necessary to query the Active Directory security event logs for information
about authenticated users.
systems such as the Web Security appliance. Active Directory agents, such as Cisco’s Context
Directory Agent (CDA), are necessary to query the Active Directory security event logs for information
about authenticated users.
AsyncOS for Web communicates with the Active Directory agent to maintain a local copy of the
IP-address-to-user-name mappings. When AsyncOS for Web needs to associate an IP address with a user
name, it first checks its local copy of the mappings. If no match is found, it queries an Active Directory
agent to find a match.
IP-address-to-user-name mappings. When AsyncOS for Web needs to associate an IP address with a user
name, it first checks its local copy of the mappings. If no match is found, it queries an Active Directory
agent to find a match.
For more information on installing and configuring an Active Directory agent, see
Setting Up an Active
Directory Agent to Provide Information to the Web Security Appliance, page 5-7
.
Consider the following when you identify users transparently using Active Directory:
•
Transparent user identification with Active Directory works with an NTLM or Kerberos
authentication scheme only. You cannot use it with an LDAP authentication realm that corresponds
to an Active Directory instance.
authentication scheme only. You cannot use it with an LDAP authentication realm that corresponds
to an Active Directory instance.
•
Transparent user identification works with the versions of Active Directory supported by an Active
Directory agent.
Directory agent.
•
You can install a second instance of an Active Directory agent on a different machine to achieve high
availability. When you do this, each Active Directory agent maintains IP-address-to-user-name
mappings independently of the other agent. AsyncOS for Web uses the backup Active Directory
agent after three unsuccessful ping attempts to the primary agent.
availability. When you do this, each Active Directory agent maintains IP-address-to-user-name
mappings independently of the other agent. AsyncOS for Web uses the backup Active Directory
agent after three unsuccessful ping attempts to the primary agent.
•
The Active Directory agent uses on-demand mode when it communicates with the Web Security
appliance.
appliance.
•
The Active Directory agent pushes user log-out information to the Web Security appliance.
Occasionally, some user log-out information is not recorded in the Active Directory security logs.
This can happen if the client machine crashes, or if the user shuts down the machine without logging
out. If there is no user log-out information in the security logs, an Active Directory agent cannot
inform the appliance that the IP address no longer is assigned to that user. To obviate this possibility,
you can define how long AsyncOS caches the IP-address-to-user mappings when there are no
updates from an Active Directory agent. For more information, see
Occasionally, some user log-out information is not recorded in the Active Directory security logs.
This can happen if the client machine crashes, or if the user shuts down the machine without logging
out. If there is no user log-out information in the security logs, an Active Directory agent cannot
inform the appliance that the IP address no longer is assigned to that user. To obviate this possibility,
you can define how long AsyncOS caches the IP-address-to-user mappings when there are no
updates from an Active Directory agent. For more information, see
.
•
The Active Directory agent records the
sAMAccountName
for each user logging in from a particular
IP address to ensure the user name is unique.
•
The client IP addresses that the client machines present to the Active Directory server and the Web
Security appliance must be the same.
Security appliance must be the same.
•
AsyncOS for Web searches only direct parent groups for a user. It does not search nested groups.
Setting Up an Active Directory Agent to Provide Information to the Web Security Appliance
Because AsyncOS for Web cannot obtain client IP addresses directly from Active Directory, it must
obtain IP-address-to-user-name mapping information from an Active Directory agent.
obtain IP-address-to-user-name mapping information from an Active Directory agent.