Cisco Cisco Web Security Appliance S170 Guía Del Usuario
5-4
AsyncOS 10.0 for Cisco Web Security Appliances User Guide
Chapter 5 Acquire End-User Credentials
Authentication Planning
Active Directory/Basic
Explicit Forward
Transparent, IP-Based Caching
Transparent, Cookie-Based Caching
Advantages:
•
Supported by all browsers and most
other applications
other applications
•
RFC-based
•
Minimal overhead
•
Works for HTTPS
(CONNECT) requests
(CONNECT) requests
•
Because the passphrase is not
transmitted to the authentication
server, it is more secure
transmitted to the authentication
server, it is more secure
•
Connection is authenticated, not the
host or IP address
host or IP address
•
Achieves true single sign-on in an
Active Directory environment
when the client applications are
configured to trust the Web
Security appliance
Active Directory environment
when the client applications are
configured to trust the Web
Security appliance
Disadvantages:
•
Passphrase sent as clear text
(Base64) for every request
(Base64) for every request
•
No single sign-on
•
Moderate overhead: each new
connection needs to be
re-authenticated
connection needs to be
re-authenticated
•
Primarily supported on Windows
only and with major browsers only
only and with major browsers only
Advantages:
•
Works with all major browsers
•
With user agents that do not
support authentication, users
only need to authenticate first in
a supported browser
support authentication, users
only need to authenticate first in
a supported browser
•
Relatively low overhead
•
Works for HTTPS requests if the
user has previously authenticated
with an HTTP request
user has previously authenticated
with an HTTP request
Disadvantages:
•
Authentication credentials are
associated with the IP address, not
the user (does not work in Citrix and
RDP environments, or if the user
changes IP address)
associated with the IP address, not
the user (does not work in Citrix and
RDP environments, or if the user
changes IP address)
•
No single sign-on
•
Passphrase is sent as clear text
(Base64)
(Base64)
Advantages:
•
Works with all major browsers
•
Authentication is associated
with the user rather than the host
or IP address
with the user rather than the host
or IP address
Disadvantages:
•
Each new web domain requires the
entire authentication process
because cookies are domain specific
entire authentication process
because cookies are domain specific
•
Requires cookies to be enabled
•
Does not work for HTTPS requests
•
No single sign-on
•
Passphrase is sent as clear text
(Base64)
(Base64)