Cisco Cisco Web Security Appliance S170 사용자 가이드
20-8
Cisco IronPort AsyncOS 7.7.5 for Web User Guide
Chapter 20 Authentication
Understanding How Authentication Works
4.
Web Proxy sends a 401 HTTP response “Authorization required.”
5.
User is prompted for credentials and enters them.
6.
Client sends the request again, but this time with the credentials in an “Authorization” HTTP header.
7.
Web Proxy confirms the credentials, tracks the user by IP address or with a cookie, and then redirects
the client to the originally requested server.
the client to the originally requested server.
Note
You can configure the Web Proxy to use either IP addresses or cookies to track authenticated
users.
users.
8.
If the client requests the original web page again, the Web Proxy transparently intercepts the request,
confirms the user by IP address or cookie, and returns the requested page.
confirms the user by IP address or cookie, and returns the requested page.
Note
If the client tries to connect to another web page and the Web Proxy tracked the user by IP address, the
Web Proxy confirms the user by IP address and returns the requested page.
Web Proxy confirms the user by IP address and returns the requested page.
Table 20-5
lists advantages and disadvantages of using transparent Basic authentication and IP-based
credential caching.
Table 20-6
lists advantages and disadvantages of using transparent Basic authentication and
cookie-based credential caching.
Explicit Forward Deployment, NTLM Authentication
The Web Proxy uses a third party challenge and response system to authenticate users on the network.
Table 20-5
Pros and Cons of Transparent Basic Authentication—IP Caching
Advantages
Disadvantages
•
Works with all major browsers
•
With user agents that do not support
authentication, users only need to authenticate
first in a supported browser
authentication, users only need to authenticate
first in a supported browser
•
Relatively low overhead
•
Works for HTTPS requests if the user has
previously authenticated with an HTTP
request
previously authenticated with an HTTP
request
•
Authentication credentials are associated with
the IP address, not the user (does not work in
Citrix and RDP environments, or if the user
changes IP address)
the IP address, not the user (does not work in
Citrix and RDP environments, or if the user
changes IP address)
•
No single sign-on
•
Password is sent as clear text (Base64)
Table 20-6
Pros and Cons of Transparent Basic Authentication—Cookie Caching
Advantages
Disadvantages
•
Works with all major browsers
•
Authentication is associated with
the user rather than the host or IP
address
the user rather than the host or IP
address
•
Each new web domain requires the entire authentication
process because cookies are domain specific
process because cookies are domain specific
•
Requires cookies to be enabled
•
Does not work for HTTPS requests
•
No single sign-on
•
Password is sent as clear text (Base64)