Cisco Cisco Web Security Appliance S170 사용자 가이드
A P P L I A N C E B E H A V I O R W I T H M U L T I P L E A U T H E N T I C A T I O N R E A L M S
C H A P T E R 1 7 : A U T H E N T I C A T I O N
369
A P P L I A N C E B E H AV I O R W I T H M U L T I P L E A U T H E N T I C A T I O N R E A L M S
You can configure the Web Security appliance to attempt authenticating clients against
multiple authentication servers, and against authentication servers with different
authentication protocols. When you configure the appliance to authenticate against multiple
authentication servers, it only requests the credentials from the clients once. This is true even
when you configure the appliance to authenticate against different protocols.
multiple authentication servers, and against authentication servers with different
authentication protocols. When you configure the appliance to authenticate against multiple
authentication servers, it only requests the credentials from the clients once. This is true even
when you configure the appliance to authenticate against different protocols.
You might want to configure a web policy group to authenticate against different realms if
your organization acquires another organization that has its own authentication server using
the same or a different authentication protocol. That way, you can create one Access Policy
group for all users and assign to the policy group an authentication sequence that contains a
realm for each authentication server.
your organization acquires another organization that has its own authentication server using
the same or a different authentication protocol. That way, you can create one Access Policy
group for all users and assign to the policy group an authentication sequence that contains a
realm for each authentication server.
When you assign an authentication sequence with multiple realms to a policy group and a
client sends a content request, the appliance performs the following actions:
client sends a content request, the appliance performs the following actions:
1. The appliance gets the credentials from the client.
2. The appliance attempts to authenticate the client against the authentication server(s)
defined in the first realm in the sequence.
3. If the client credentials do not match a user in the servers defined in the first realm, it tries
to authenticate against the authentication server(s) in the next realm in the sequence.
4. The appliance continues trying to authenticate the client against servers in the next realms
until it either succeeds or runs out of authentication realms.
5. When authentication succeeds, the appliance passes the content response to the client.
6. When the appliance fails to authenticate the client against any authentication realm in the
sequence, the appliance does not allow the client to connect to the destination server.
Instead, it displays an error message to the client.
Instead, it displays an error message to the client.
Tip: For optimal performance, configure clients on a subnet to be authenticated in a single
realm.
realm.