Cisco Cisco Web Security Appliance S190 Guía Del Usuario
7-17
Cisco IronPort AsyncOS 7.1 for Web User Guide
OL-23207-01
Chapter 7 Identities
Identifying Users Transparently
Understanding Transparent User Identification
Novell eDirectory maintains a mapping that matches authenticated user names to
their current IP addresses. AsyncOS for Web communicates with the Novell
eDirectory server at regular intervals to maintain the current IP address to user
name mapping.
their current IP addresses. AsyncOS for Web communicates with the Novell
eDirectory server at regular intervals to maintain the current IP address to user
name mapping.
When a client makes a request for a website, the Web Security appliance receives
the request and obtains the IP address from the request. AsyncOS for Web then
checks the IP address to user name mapping stored on the Web Security appliance
to assign a user name to the client request. AsyncOS for Web also fetches the user
groups from the Novell eDirectory server at this time. Assuming it matches a user
name to the IP address, AsyncOS for Web applies policies to the transaction as
appropriate.
the request and obtains the IP address from the request. AsyncOS for Web then
checks the IP address to user name mapping stored on the Web Security appliance
to assign a user name to the client request. AsyncOS for Web also fetches the user
groups from the Novell eDirectory server at this time. Assuming it matches a user
name to the IP address, AsyncOS for Web applies policies to the transaction as
appropriate.
If the IP address does not match a user name, you can configure how to handle the
transaction. You can grant the end user guest access, or you can force an
authentication prompt to appear to the end user.
transaction. You can grant the end user guest access, or you can force an
authentication prompt to appear to the end user.
When an end user is shown an authentication prompt due to failed transparent user
identification, and the user then fails authentication due to invalid credentials, you
can choose whether to allow the user guest access.
identification, and the user then fails authentication due to invalid credentials, you
can choose whether to allow the user guest access.
shows where you
grant user access when configuring an Identity for transparent user identification.
Figure 7-4
Granting Guest Access—Transparent User Identification
The current IP address to user name mapping is updated, by default, every 600
seconds. You can change this time interval using the
seconds. You can change this time interval using the
advancedproxyconfig >
authentication
CLI command.
Note
When you enable re-authentication and a transaction is blocked by URL filtering,
an end-user notification page appears with the option to log in as a different user.
Users who click the link are prompted for authentication. For more information,
see
an end-user notification page appears with the option to log in as a different user.
Users who click the link are prompted for authentication. For more information,
see