Cisco Cisco Web Security Appliance S170 Guía Del Usuario
5-9
AsyncOS 8.8 for Cisco Web Security Appliances User Guide
Chapter 5 Acquire End-User Credentials
Authentication Planning
Rules and Guidelines
Consider the following rules and guidelines when using transparent user identification with any
authentication server:
authentication server:
•
When using DHCP to assign IP addresses to client machines, ensure the IP-address-to-user-name
mappings are updated on the Web Security appliance more frequently than the DHCP lease. Use the
mappings are updated on the Web Security appliance more frequently than the DHCP lease. Use the
tuiconfig
CLI command to update the mapping update interval. For more information, see
.
•
If a user logs out of a machine and another user logs into the same machine before the IP-address-to
user-name mapping is updated on the Web Security appliance, then the Web Proxy logs the client as
the previous user.
user-name mapping is updated on the Web Security appliance, then the Web Proxy logs the client as
the previous user.
•
You can configure how the Web Proxy handles transactions when transparent user identification
fails. It can grant users guest access, or it can force an authentication prompt to appear to end users.
fails. It can grant users guest access, or it can force an authentication prompt to appear to end users.
•
When a user is shown an authentication prompt due to failed transparent user identification, and the
user then fails authentication due to invalid credentials, you can choose whether to allow the user
guest access.
user then fails authentication due to invalid credentials, you can choose whether to allow the user
guest access.
•
When the assigned Identification Profile uses an authentication sequence with multiple realms in
which the user exists, AsyncOS for Web fetches the user groups from the realms in the order in
which they appear in the sequence.
which the user exists, AsyncOS for Web fetches the user groups from the realms in the order in
which they appear in the sequence.
•
When you configure an Identification Profile to transparently identify users, the authentication
surrogate must be IP address. You cannot select a different surrogate type.
surrogate must be IP address. You cannot select a different surrogate type.
•
When you view detailed transactions for users, the Web Tracking page shows which users were
identified transparently.
identified transparently.
•
You can log which users were identified transparently in the access and WC3 logs using the
%m
and
x-auth-mechanism
custom fields. A log entry of
SSO_TUI
indicates that the user name was obtained
by matching the client IP address to an authenticated user name using transparent user identification.
(Similarly, a value of
(Similarly, a value of
SSO_ASA
indicates that the user is a remote user and the user name was obtained
from a Cisco ASA using AnyConnect Secure Mobility.)
Configuring Transparent User Identification
Configuring transparent user identification and authorization is detailed in
•
Create and order authentication realms.
•
Create Identification Profiles to classify users and client software.
•
Create policies to manage web requests from the identified users and user groups.
Using the CLI to Configure Advanced Transparent User Identification Settings
AsyncOS for Web provides the following TUI-related CLI commands:
•
tuiconfig
– Configure advanced settings associated with transparent user identification. Batch
mode can be used to configure multiple parameters simultaneously.
–
Configure mapping timeout for Active Directory agent
– Length of time, in minutes,
IP-address to-user mappings are cached for IP addresses retrieved by the AD agent when there
are no updates from the agent.
are no updates from the agent.