Cisco Cisco Web Security Appliance S680 Guía Del Usuario
5-12
AsyncOS 9.0 for Cisco Web Security Appliances User Guide
Chapter 5 Acquire End-User Credentials
Authentication Realms
Step 2
Submit and commit your changes.
Enabling RADIUS External Authentication
See
Creating an Active Directory Realm for Kerberos Authentication Scheme
Before You Begin
•
Ensure the appliance is configured in Standard mode (not Cloud Connector Mode).
•
Prepare the Active Directory Server.
–
Install Active Directory on one of these servers: Windows server 2003, 2008, 2008R2 or 2012.
–
Create a user on the Active Directory server that is a member of the domain administrators.
–
Join your client to the domain. Supported clients are Windows XP, Windows 7 and
Mac OS 10.5+.
Mac OS 10.5+.
–
Use the kerbtray tool from the Windows Resource Kit to verify the Kerberos ticket on the client:
http://www.microsoft.com/en-us/download/details.aspx?id=17657 .
http://www.microsoft.com/en-us/download/details.aspx?id=17657 .
–
Ticket viewer application on Mac clients is available under main menu > KeyChain Access to
view the Kerberos tickets.
view the Kerberos tickets.
•
Ensure you have the rights and domain information needed to join the Web Security appliance to the
Active Directory domain you wish to authenticate against.
Active Directory domain you wish to authenticate against.
•
Compare the current time on the Web Security appliance with the current time on the Active
Directory server and verify that the difference is no greater than the time specified in the “Maximum
tolerance for computer clock synchronization” option on the Active Directory server.
Directory server and verify that the difference is no greater than the time specified in the “Maximum
tolerance for computer clock synchronization” option on the Active Directory server.
•
If the Web Security appliance is managed by a Security Management appliance, be prepared to
ensure that same-named authentication realms on different Web Security appliances have identical
properties defined on each appliance.
ensure that same-named authentication realms on different Web Security appliances have identical
properties defined on each appliance.
•
Web Security appliance configuration:
–
In explicit mode, the WSA host name (CLI command
) and the proxy name
configured in the browser must be the same.
–
In transparent mode, the WSA host name must be the same as the Redirect Hostname (see
). Further, the WSA host name and
Redirect Hostname must be configured prior to creating a Kerberos realm.
•
Be aware that once you commit the new realm, you cannot change a realm’s authentication protocol.
•
Note that single sign on (SSO) must be configured on client browsers; see
Timeout to wait for valid response
from server.
from server.
The number of seconds AsyncOS waits for a response to
the query from the server.
the query from the server.
Group Mapping
For each group name in the directory, assign a role.
Option
Description