Cisco Cisco Web Security Appliance S160 Guía Del Usuario
5-14
AsyncOS 9.0 for Cisco Web Security Appliances User Guide
Chapter 5 Acquire End-User Credentials
Authentication Realms
Step 7
(Optional) Configure transparent user identification.
Step 8
Configure Network Security:
Step 9
(Optional) Click Start Test. This will test the settings you have entered, ensuring they are correct before
real users use them to authenticate. For details on the testing performed, see
real users use them to authenticate. For details on the testing performed, see
•Create additional NTLM
realms to authenticate users in domains that are not trusted by existing NTLM realms., page 5-21
.
Step 10
Submit and commit your changes.
Tip
Customize the access log to use the
%m
custom field parameter. See
Troubleshooting Tools
KerbTray or klist (both part of the Windows Server Resources Kit) for viewing and purging a Kerberos
ticket cache.
ticket cache.
for viewing and editing an Active directory. Wireshark is a
packet analyzer you can use for network troubleshooting.
Next Step
•
Create an Identification Profile that uses the Kerberos authentication scheme.
Creating an Active Directory Authentication Realm (NTLMSSP and Basic)
Before You Begin
•
Ensure you have the rights and domain information needed to join the Web Security appliance to the
Active Directory domain you wish to authenticate against.
Active Directory domain you wish to authenticate against.
•
If you plan to use “domain” as the NTLM security mode, use only nested Active Directory groups.
If Active Directory groups are not nested, use the default value, “ads”. See
If Active Directory groups are not nested, use the default value, “ads”. See
the Command Line Interface appendix of this guide.
•
Compare the current time on the Web Security appliance with the current time on the Active
Directory server and verify that the difference is no greater than the time specified in the “Maximum
tolerance for computer clock synchronization” option on the Active Directory server. If the Web
Directory server and verify that the difference is no greater than the time specified in the “Maximum
tolerance for computer clock synchronization” option on the Active Directory server. If the Web
Setting
Description
Enable Transparent
User Identification using
Active Directory agent
User Identification using
Active Directory agent
Enter both the server name for the machine where the primary Context
Directory agent is installed and the shared secret used to access it.
Directory agent is installed and the shared secret used to access it.
(Optional) Enter the server name for the machine where a backup Context
Directory agent is installed and its shared secret.
Directory agent is installed and its shared secret.
Setting
Description
Client Signing Required
Select this option if the Active Directory server is configured to require
client signing.
client signing.
With this option selected, AsyncOS uses Transport Layer Security when
communicating with the Active Directory server.
communicating with the Active Directory server.