Cisco Cisco Web Security Appliance S170 사용자 가이드
134
I R O N P O R T A S Y N C O S 6 . 5 F O R W E B U S E R G U I D E
• Is this user allowed to directly connect to the web server, or must it connect to another
proxy server first?
• Is this user allowed to upload this data?
The Web Proxy can only authorize a user to access an Internet resource after it authenticates
who the user is. The Web Proxy authenticates users when it evaluates Identity groups, and it
authorizes users when it evaluates all other policy group types. What that means is the
Identity group indicates who is making the request, but does not indicate whether that client
is allowed to make the request.
who the user is. The Web Proxy authenticates users when it evaluates Identity groups, and it
authorizes users when it evaluates all other policy group types. What that means is the
Identity group indicates who is making the request, but does not indicate whether that client
is allowed to make the request.
By separating authentication from authorization, you can create a single Identity group that
identifies a group of users and then you can create multiple policy groups that allow different
levels of access to subsets of users in the group in the Identity.
identifies a group of users and then you can create multiple policy groups that allow different
levels of access to subsets of users in the group in the Identity.
For example, you can create one Identity group that covers all users in an authentication
sequence. Then you can create an Access Policy group for each authentication realm in the
sequence. You can also use this Identity to create one Decryption Policy with the same level
of access for all users in the Identity.
sequence. Then you can create an Access Policy group for each authentication realm in the
sequence. You can also use this Identity to create one Decryption Policy with the same level
of access for all users in the Identity.
Working with Failed Authentication and Authorization
You can allow users another opportunity to access the web if they fail authentication or
authorization. How you configure the Web Security appliance depends on what fails:
authorization. How you configure the Web Security appliance depends on what fails:
• Authentication. When authentication fails, you can grant guest access to the user.
Authentication might fail under the following circumstances:
• A new hire has been provided credentials in an email but they are not yet populated
in the authentication server.
• A visitor comes to the office and needs to be granted restrictive Internet access, but is
not in the corporate user directory.
For more information on configuring guest access, see “Allowing Guest Access to Users
Who Fail Authentication” on page 155.
Who Fail Authentication” on page 155.
• Authorization. A user might authenticate correctly, but not be granted access to the web
due to the applicable Access Policy. In this case, you can allow the user to re-authenticate
with more privileged credentials. To do this, enable the “Enable Re-Authentication Prompt
If End User Blocked by URL Category” global authentication setting. For more
information, see “Allowing Users to Re-Authenticate” on page 386.
with more privileged credentials. To do this, enable the “Enable Re-Authentication Prompt
If End User Blocked by URL Category” global authentication setting. For more
information, see “Allowing Users to Re-Authenticate” on page 386.
Working with All Identities
You can create a policy group that specifies “All Identities” as the configured Identity group.
“All Identities” applies to every valid client request because by definition, every request either
succeeds and has a user defined or global Identity assigned to it or is terminated because it
fails authentication (and no guest access was provided for users failing authentication).
“All Identities” applies to every valid client request because by definition, every request either
succeeds and has a user defined or global Identity assigned to it or is terminated because it
fails authentication (and no guest access was provided for users failing authentication).
When you create a policy group that uses All Identities, you must configure at least one
advanced option to distinguish the policy group from the global policy group.
advanced option to distinguish the policy group from the global policy group.