Cisco Cisco Web Security Appliance S170 사용자 가이드
H O W A U T H E N T I C A T I O N W O R K S
C H A P T E R 1 7 : A U T H E N T I C A T I O N
357
H O W A U T H E N T I C A T I O N WO R K S
To authenticate users who access the web, the Web Security appliance connects to an
external authentication server. The authentication server contains a list of users and their
corresponding passwords and it organizes the users into a hierarchy. For users on the network
to successfully authenticate, they must provide valid authentication credentials (user name
and password as stored in the authentication server).
external authentication server. The authentication server contains a list of users and their
corresponding passwords and it organizes the users into a hierarchy. For users on the network
to successfully authenticate, they must provide valid authentication credentials (user name
and password as stored in the authentication server).
When users access the web through a Web Security appliance that requires authentication,
the Web Proxy asks the client for authentication credentials. The Web Proxy communicates
with both the client and the authentication server to authenticate the user and process the
request.
the Web Proxy asks the client for authentication credentials. The Web Proxy communicates
with both the client and the authentication server to authenticate the user and process the
request.
Figure 17-1 shows how the Web Security appliance communicates with clients and
authentication servers.
authentication servers.
Figure 17-1 Web Security Appliance Authentication
The Web Security appliance supports the following authentication protocols:
• Lightweight Directory Access Protocol (LDAP). The Web Proxy uses the LDAP Bind
operation to query an LDAP-compatible authentication server. The appliance supports
standard LDAP server authentication and secure LDAP authentication.
standard LDAP server authentication and secure LDAP authentication.
For more information about LDAP configuration options, see “LDAP Authentication” on
page 390.
page 390.
• NT LAN Manager (NTLM). The Web Proxy uses NTLM, a Microsoft proprietary protocol,
to authenticate users which exist in Microsoft Active Directory. The NTLM protocol uses a
challenge-response sequence of messages between the client and the Active Directory
server. You can use either NTLMSSP or Basic authentication schemes on client side.
challenge-response sequence of messages between the client and the Active Directory
server. You can use either NTLMSSP or Basic authentication schemes on client side.
For more information about NTLM configuration options, see “NTLM Authentication” on
page 396.
page 396.
In addition to the preceding protocols, the Web Security appliance supports the following
client side authentication schemes:
client side authentication schemes:
Client
Authentication
Server
Web Security Appliance
Basic or NTLMSSP
LDAP or NTLM