Cisco Cisco Web Security Appliance S170 사용자 가이드
20-9
Cisco IronPort AsyncOS 7.7.5 for Web User Guide
Chapter 20 Authentication
Understanding How Authentication Works
The authentication process comprises these steps:
1.
Client sends a request to the Web Proxy to connect to a web page.
2.
Web Proxy responds with a 407 HTTP response “Proxy Authentication Required.”
3.
Clients repeats request and includes a “Proxy-Authorization” HTTP header with an NTLM
“negotiate” message.
“negotiate” message.
4.
Web Proxy responds with a 407 HTTP response and an NTLM “challenge” message based on the
negotiate message from the client.
negotiate message from the client.
5.
Client repeats the request and includes a response to the challenge message.
Note
The client uses an algorithm based on its password to modify the challenge and sends the
challenge response to the Web Proxy.
challenge response to the Web Proxy.
6.
Web Proxy passes the authentication information to the Active Directory server. The Active
Directory server then verifies that the client used the correct password based on whether or not it
modified the challenge string appropriately.
Directory server then verifies that the client used the correct password based on whether or not it
modified the challenge string appropriately.
7.
If the challenge response passes, the Web Proxy returns the requested web page.
Note
Additional requests on the same TCP connection do not need to be authenticated again with the Active
Directory server.
Directory server.
Table 20-7
lists advantages and disadvantages of using explicit forward NTLM authentication.
Transparent Deployment, NTLM Authentication
Transparent NTLM authentication is similar to transparent Basic authentication except that the Web
Proxy communicates with clients using NTLMSSP instead of Basic. However, with transparent NTLM
authentication, the authentication credentials are not sent in the clear to the authentication server.
Proxy communicates with clients using NTLMSSP instead of Basic. However, with transparent NTLM
authentication, the authentication credentials are not sent in the clear to the authentication server.
For more information, see
The advantages and disadvantages of using transparent NTLM authentication are the same as those of
using transparent Basic authentication except that transparent NTLM authentication is better because the
password is not sent to the authentication server and you can achieve single sign-on when the client
applications are configured to trust the Web Security appliance. For more information on the advantages
and disadvantages of transparent Basic authentication, see
using transparent Basic authentication except that transparent NTLM authentication is better because the
password is not sent to the authentication server and you can achieve single sign-on when the client
applications are configured to trust the Web Security appliance. For more information on the advantages
and disadvantages of transparent Basic authentication, see
Table 20-5 on page 20-8
Table 20-6 on
page 20-8
.
Table 20-7
Pros and Cons of Explicit Forward NTLM Authentication
Advantages
Disadvantages
•
Because the password is not transmitted to the
authentication server, it is more secure
authentication server, it is more secure
•
Connection is authenticated, not the host or IP address
•
Achieves true single sign-on in an Active Directory
environment when the client applications are
configured to trust the Web Security appliance
environment when the client applications are
configured to trust the Web Security appliance
•
Moderate overhead: each new
connection needs to be
re-authenticated
connection needs to be
re-authenticated
•
Primarily supported on Windows only
and with major browsers only
and with major browsers only