Cisco Cisco Web Security Appliance S670 Mode D'Emploi
8-16
Cisco IronPort AsyncOS 7.7 for Web User Guide
Chapter 8 Identities
Identifying Users Transparently
•
Novell eDirectory must be configured to update the NetworkAddress attribute of the user object
when users login. For more information on how to do this, see the following Novell support article:
when users login. For more information on how to do this, see the following Novell support article:
http://www.novell.com/support/php/search.do?cmd=displayKC&docType=kc&externalId=700
4564&sliceId=1&docTypeID=DT_TID_1_1&dialogID=100407203&stateId=0%200%20100405493?
Note
Novell eDirectory versions 8.6, 8.7, and 8.8 can be configured to update the NetworkAddress
attribute.
attribute.
•
When querying Novell eDirectory, AsyncOS for Web only searches for direct parent groups that the
user belongs to. It does not search nested groups.
user belongs to. It does not search nested groups.
•
You can use the “network address” field of the user in Novell eDirectory to obtain the IP address of
the workstation from where the user previously logged in.
the workstation from where the user previously logged in.
Rules and Guidelines
Consider the following rules and guidelines when using transparent user identification with any
authentication server:
authentication server:
•
When using DHCP to assign IP addresses to client machines, ensure the IP address to user name
mapping is updated on the Web Security appliance more frequently than the DHCP lease. Use the
mapping is updated on the Web Security appliance more frequently than the DHCP lease. Use the
tuiconfig
CLI command to update the mapping update interval. For more information, see
•
If an end user logs out of a machine and another user logs in to the same machine before the IP
address to user name mapping is updated on the Web Security appliance, then the Web Proxy logs
the client as the previous user.
address to user name mapping is updated on the Web Security appliance, then the Web Proxy logs
the client as the previous user.
•
You can configure how the Web Proxy handles transactions when transparent user identification
fails. It can grant users guest access, or it can force an authentication prompt to appear to end users.
fails. It can grant users guest access, or it can force an authentication prompt to appear to end users.
•
When a user is shown an authentication prompt due to failed transparent user identification, and the
user then fails authentication due to invalid credentials, you can choose whether to allow the user
guest access.
user then fails authentication due to invalid credentials, you can choose whether to allow the user
guest access.
•
When the assigned Identity uses an authentication sequence with multiple realms in which the user
exists, AsyncOS for Web fetches the user groups from the realms in the order in which they appear
in the sequence.
exists, AsyncOS for Web fetches the user groups from the realms in the order in which they appear
in the sequence.
•
When you configure an Identity to transparently identify users, the authentication surrogate must be
IP address. You cannot select a different surrogate type.
IP address. You cannot select a different surrogate type.
•
When you view detailed transactions for users, the Web Tracking page shows which users were
identified transparently.
identified transparently.
•
When you configure an Identity to identify users transparently, AsyncOS for Web only displays
sequences in which all realms have transparent user identification enabled.
sequences in which all realms have transparent user identification enabled.
•
You can log which users were identified transparently in the access logs and WC3 logs using the
%m and x-auth-mechanism custom fields. A value of SSO_TUI indicates that the user name was
obtained by matching the client IP address to an authenticated user name using transparent user
identification. (Similarly, a value of SSO_ASA indicates that the user is a remote user and the user
name was obtained from a Cisco ASA using the Secure Mobility Solution.)
%m and x-auth-mechanism custom fields. A value of SSO_TUI indicates that the user name was
obtained by matching the client IP address to an authenticated user name using transparent user
identification. (Similarly, a value of SSO_ASA indicates that the user is a remote user and the user
name was obtained from a Cisco ASA using the Secure Mobility Solution.)