Cisco Cisco Web Security Appliance S680 Guía Del Usuario
7-19
Cisco IronPort AsyncOS 7.1 for Web User Guide
OL-23207-01
Chapter 7 Identities
Identifying Users Transparently
•
If an end user logs out of a machine and another user logs in to the same
machine before the IP address to user name mapping is updated on the Web
Security appliance, then the Web Proxy logs the client as the previous user.
machine before the IP address to user name mapping is updated on the Web
Security appliance, then the Web Proxy logs the client as the previous user.
•
You can configure how the Web Proxy handles transactions when transparent
user identification fails. It can grant users guest access, or it can force an
authentication prompt to appear to end users.
user identification fails. It can grant users guest access, or it can force an
authentication prompt to appear to end users.
•
When a user is shown an authentication prompt due to failed transparent user
identification, and the user then fails authentication due to invalid credentials,
you can choose whether to allow the user guest access.
identification, and the user then fails authentication due to invalid credentials,
you can choose whether to allow the user guest access.
•
When the assigned Identity uses an authentication sequence with multiple
realms in which the user exists, AsyncOS for Web fetches the user groups
from the realms in the order in which they appear in the sequence.
realms in which the user exists, AsyncOS for Web fetches the user groups
from the realms in the order in which they appear in the sequence.
•
When you configure an Identity to transparently authenticate users, the
authentication surrogate must be IP address. You cannot select a different
surrogate type.
authentication surrogate must be IP address. You cannot select a different
surrogate type.
•
You can use the “network address” field of the user in Novell eDirectory to
obtain the IP address of the workstation from where the user previously
logged in.
obtain the IP address of the workstation from where the user previously
logged in.
•
You can log which users were identified transparently in the access logs and
WC3 logs using the %m and x-auth-mechanism custom fields. A value of
SSO_EDIR indicates that the user name was obtained by matching the client
IP address to an authenticated user name in Novell eDirectory. (Similarly, a
value of SSO_ASA indicates that the user is a remote user and the user name
was obtained from a Cisco ASA using the Secure Mobility Solution.)
WC3 logs using the %m and x-auth-mechanism custom fields. A value of
SSO_EDIR indicates that the user name was obtained by matching the client
IP address to an authenticated user name in Novell eDirectory. (Similarly, a
value of SSO_ASA indicates that the user is a remote user and the user name
was obtained from a Cisco ASA using the Secure Mobility Solution.)
Configuring Transparent User Identification
To use transparent user identification:
Step 1
Create an LDAP authentication realm for a Novell eDirectory server. Configure
the realm to use Version 3 and to “Support Novell eDirectory.”
the realm to use Version 3 and to “Support Novell eDirectory.”
For more information on configuring LDAP options, see
For more information on creating authentication realms, see
.