Cisco Cisco Web Security Appliance S170 사용자 가이드

Web Proxy deployment also affects how authentication works in each of the scenarios described in 

. For more information, see 

.

When you configure an Identity group to use authentication, you choose the authentication scheme, 
either Basic or NTLMSSP. The authentication scheme affects the user experience and the security of 
users’ passwords.

 describes the differences between Basic and NTLMSSP authentication schemes. 

The Web Proxy communicates with clients and authentication servers differently depending on the type 
of Web Proxy deployment and the authentication protocol.

 lists the possible methods of authentication for the various authentication protocols and 

deployment type. 

Basic

The client always prompts users for 
credentials. After the user enters 
credentials, browsers typically offer a 
check box to remember the provided 
credentials. Each time the user opens the 
browser, the client either prompts for 
credentials or resends the previously 
saved credentials.

Credentials are sent unsecured as clear 
text (Base64). A packet capture between 
the client and Web Security appliance can 
reveal the user name and password.

Note: You can configure the Web Security 
appliance so clients send authentication 
credentials securely. For more 
information, see 

.

NTLMSSP

The client transparently authenticates by 
using its Windows login credentials. The 
user is not prompted for credentials.

However, the client prompts the user for 
credentials under the following 
circumstances:

The Windows credentials failed.

The client does not trust the Web 
Security appliance because of 
browser security settings.

Credentials are sent securely using a 
three-way handshake (digest style 
authentication). The password is never 
sent across the connection.

For more information on the three-way 
handshake, see 

.

Explicit forward

Basic

LDAP or NTLM Basic

Transparent

Basic

LDAP or NTLM Basic