Cisco Cisco Web Security Appliance S170 사용자 가이드
9-12
Cisco IronPort AsyncOS 7.5.7 for Web User Guide
Chapter 9 Identities
Identifying Users Transparently
If the IP address does not match a user name, you can configure how to handle the transaction. You can
grant the end user guest access, or you can force an authentication prompt to appear to the end user.
grant the end user guest access, or you can force an authentication prompt to appear to the end user.
When an end user is shown an authentication prompt due to failed transparent user identification, and
the user then fails authentication due to invalid credentials, you can choose whether to allow the user
guest access.
the user then fails authentication due to invalid credentials, you can choose whether to allow the user
guest access.
shows where you grant user access when configuring an Identity for transparent
user identification.
Figure 9-4
Granting Guest Access—Transparent User Identification
The current IP address to user name mapping is updated, by default, every 600 seconds. You can change
this time interval using the
this time interval using the
tuiconfig
CLI command. For more information, see
.
Note
When you enable re-authentication and a transaction is blocked by URL filtering, an end-user
notification page appears with the option to log in as a different user. Users who click the link are
prompted for authentication. For more information, see
notification page appears with the option to log in as a different user. Users who click the link are
prompted for authentication. For more information, see
.
Transparent User Identification with Active Directory
Active Directory does not record user login event information in a method that is easily queried by other
servers, such as the Web Security appliance. However, Cisco offers the Cisco Active Directory Agent
(AD Agent) that queries the Active Directory security event logs to maintain an IP address to user name
mapping of users authenticated with Active Directory. The Active Directory Agent acts as a sort of
identity repository.
servers, such as the Web Security appliance. However, Cisco offers the Cisco Active Directory Agent
(AD Agent) that queries the Active Directory security event logs to maintain an IP address to user name
mapping of users authenticated with Active Directory. The Active Directory Agent acts as a sort of
identity repository.
AsyncOS for Web communicates with the Active Directory Agent to maintain a local copy of the IP
address to user name mapping. When AsyncOS for Web needs to associate an IP address with a user
name, it first checks its local copy of the mapping. If no match is found, it queries the Active Directory
Agent to find a match.
address to user name mapping. When AsyncOS for Web needs to associate an IP address with a user
name, it first checks its local copy of the mapping. If no match is found, it queries the Active Directory
Agent to find a match.
For more information on installing and configuring the Active Directory Agent, see
Consider the following rules and guidelines when you identify users transparently using Active
Directory:
Directory:
•
Transparent user identification with Active Directory works with an NTLM authentication realm
only. You cannot use it with an LDAP authentication realm that corresponds to an Active Directory
instance.
only. You cannot use it with an LDAP authentication realm that corresponds to an Active Directory
instance.
•
Transparent user identification works with the versions of Active Directory supported by the Active
Directory Agent.
Directory Agent.
•
Optionally, you can install a second instance of the Active Directory Agent on a different machine
to achieve high availability. When you do this, each Active Directory Agent maintains an IP address
to user name mapping independently of the other agent. AsyncOS for Web uses the backup Active
Directory Agent after three unsuccessful ping attempts to the primary agent.
to achieve high availability. When you do this, each Active Directory Agent maintains an IP address
to user name mapping independently of the other agent. AsyncOS for Web uses the backup Active
Directory Agent after three unsuccessful ping attempts to the primary agent.