Cisco Cisco Web Security Appliance S170 사용자 가이드
20-4
Cisco IronPort AsyncOS 7.7.5 for Web User Guide
Chapter 20 Authentication
Understanding How Authentication Works
•
Authentication server is unavailable. An authentication server might be unavailable if the network
connection is broken or if the server is experiencing a problem. To avoid this problem, configure the
“Action if Authentication Service Unavailable” global authentication setting. For more information,
see
connection is broken or if the server is experiencing a problem. To avoid this problem, configure the
“Action if Authentication Service Unavailable” global authentication setting. For more information,
see
.
•
Invalid credentials. When a client passes invalid authentication credentials, the Web Proxy
continually requests valid credentials, essentially blocking access to the web by default. However,
you can grant limited access to users who fail authentication. For more information, see
continually requests valid credentials, essentially blocking access to the web by default. However,
you can grant limited access to users who fail authentication. For more information, see
Note
You can configure the Web Proxy to request authentication again if an authenticated user is blocked from
a website due to restrictive URL filtering or being prevented from logging into multiple machines
simultaneously. To do this, enable the “Enable Re-Authentication Prompt If End User Blocked by URL
Category or User Session Restriction” global authentication setting. For more information, see
a website due to restrictive URL filtering or being prevented from logging into multiple machines
simultaneously. To do this, enable the “Enable Re-Authentication Prompt If End User Blocked by URL
Category or User Session Restriction” global authentication setting. For more information, see
Working with Windows 7 and Windows Vista
Windows 7 and Windows Vista machines have a feature called Network Connectivity Status Indicator
(NCSI). When clients on your network use NCSI and the Web Security appliance uses NTLMSSP
authentication, you should configure the appliance so it uses a relatively small timeout value for machine
credentials. Do this using the
(NCSI). When clients on your network use NCSI and the Web Security appliance uses NTLMSSP
authentication, you should configure the appliance so it uses a relatively small timeout value for machine
credentials. Do this using the
advancedproxyconfig > authentication
CLI command:
Enter the surrogate timeout for machine credentials.
When NCSI is running on a Windows machine, it checks for network connectivity by making HTTP
requests. When the machine running NCSI is prompted to authenticate (the request is assigned an
Identity Policy that requires authentication), NCSI authenticates using the machine’s credentials instead
of the user’s credentials.
requests. When the machine running NCSI is prompted to authenticate (the request is assigned an
Identity Policy that requires authentication), NCSI authenticates using the machine’s credentials instead
of the user’s credentials.
When the Identity Policy uses IP based surrogates, subsequent requests from the user might be assigned
an incorrect Access Policy as the user would be identified using the machine credentials instead of the
user’s own credentials.
an incorrect Access Policy as the user would be identified using the machine credentials instead of the
user’s own credentials.
You can use the
advancedproxyconfig > authentication
CLI command to specify how long the IP
address surrogate is used for machine credentials before requiring authentication again. The Web Proxy
differentiates between user and machine credentials.
differentiates between user and machine credentials.
Understanding How Authentication Works
To authenticate users who access the web, the Web Security appliance connects to an external
authentication server. The authentication server contains a list of users and their corresponding
passwords and it organizes the users into a hierarchy. For users on the network to successfully
authenticate, they must provide valid authentication credentials (user name and password as stored in
the authentication server).
authentication server. The authentication server contains a list of users and their corresponding
passwords and it organizes the users into a hierarchy. For users on the network to successfully
authenticate, they must provide valid authentication credentials (user name and password as stored in
the authentication server).
When users access the web through a Web Security appliance that requires authentication, the Web
Proxy asks the client for authentication credentials. The Web Proxy communicates with both the client
and the authentication server to authenticate the user and process the request.
Proxy asks the client for authentication credentials. The Web Proxy communicates with both the client
and the authentication server to authenticate the user and process the request.
Figure 20-1
shows how the Web Security appliance communicates with clients and authentication
servers.