Cisco Cisco Web Security Appliance S170 사용자 가이드

The Web Proxy sequentially reads through each Identity group in the Identity policies table. It compares 
the client request status to the membership criteria of the first Identity group. If they match, the Web 
Proxy assigns the Identity group to the transaction.

If they do not match, the Web Proxy compares the client request to the next Identity group. It continues 
this process until it matches the client request to a user defined Identity group, or if it does not match a 
user defined Identity group, it matches the global Identity policy. When the Web Proxy matches the client 
request to an Identity group or the global Identity policy, it assigns the Identity group to the transaction.

If at any time during the comparison process the user fails authentication, the Web Proxy terminates the 
request. For more information about how authentication works with Identity groups, see 

.

After the Web Proxy assigns an Identity to a client request, it evaluates the request against the other 
policy group types. For more information, see the following locations:

Requiring authentication for users can help your organization control access to the web for groups of 
users. AsyncOS allows you to create multiple Identity groups and define the membership criteria based 
on authentication requirements.

When authentication is required for an Identity group, a gold key icon appears next to the Identity group 
name in the Policies table, as shown in 

.

To define authentication requirements for an Identity group, you can choose an authentication realm or 
sequence that applies to the Identity group. 

You can specify the authorized users when you use the Identity in a non-Identity policy group.

Consider the following rules and guidelines when creating and ordering Identity groups:

Identity group order. All Identity groups that do not require authentication must be above Identity 
groups that require authentication.