Cisco Cisco Web Security Appliance S170 사용자 가이드
20-6
Cisco IronPort AsyncOS 7.7.5 for Web User Guide
Chapter 20 Authentication
Understanding How Authentication Works
Web Proxy deployment also affects how authentication works in each of the scenarios described in
Table 20-1
. For more information, see
.
Basic versus NTLMSSP Authentication Schemes
When you configure an Identity group to use authentication, you choose the authentication scheme,
either Basic or NTLMSSP. The authentication scheme affects the user experience and the security of
users’ passwords.
either Basic or NTLMSSP. The authentication scheme affects the user experience and the security of
users’ passwords.
Table 20-2
describes the differences between Basic and NTLMSSP authentication schemes.
How Web Proxy Deployment Affects Authentication
The Web Proxy communicates with clients and authentication servers differently depending on the type
of Web Proxy deployment and the authentication protocol.
of Web Proxy deployment and the authentication protocol.
Table 20-3
lists the possible methods of authentication for the various authentication protocols and
deployment type.
Table 20-2
Basic versus NTLMSSP Authentication Schemes
Authentication
Scheme
Scheme
User Experience
Security
Basic
The client always prompts users for
credentials. After the user enters
credentials, browsers typically offer a
check box to remember the provided
credentials. Each time the user opens the
browser, the client either prompts for
credentials or resends the previously
saved credentials.
credentials. After the user enters
credentials, browsers typically offer a
check box to remember the provided
credentials. Each time the user opens the
browser, the client either prompts for
credentials or resends the previously
saved credentials.
Credentials are sent unsecured as clear
text (Base64). A packet capture between
the client and Web Security appliance can
reveal the user name and password.
text (Base64). A packet capture between
the client and Web Security appliance can
reveal the user name and password.
Note: You can configure the Web Security
appliance so clients send authentication
credentials securely. For more
information, see
appliance so clients send authentication
credentials securely. For more
information, see
.
NTLMSSP
The client transparently authenticates by
using its Windows login credentials. The
user is not prompted for credentials.
using its Windows login credentials. The
user is not prompted for credentials.
However, the client prompts the user for
credentials under the following
circumstances:
credentials under the following
circumstances:
•
The Windows credentials failed.
•
The client does not trust the Web
Security appliance because of
browser security settings.
Security appliance because of
browser security settings.
Credentials are sent securely using a
three-way handshake (digest style
authentication). The password is never
sent across the connection.
three-way handshake (digest style
authentication). The password is never
sent across the connection.
For more information on the three-way
handshake, see
handshake, see
.
Table 20-3
Methods of Authentication
Web Proxy Deployment
Client to Web Security
Appliance
Appliance
Web Security Appliance to Authentication
Server
Server
Explicit forward
Basic
LDAP or NTLM Basic
Transparent
Basic
LDAP or NTLM Basic