Cisco Cisco Web Security Appliance S170 사용자 가이드
9-14
Cisco IronPort AsyncOS 7.5.7 for Web User Guide
Chapter 9 Identities
Identifying Users Transparently
Obtaining, Installing, and Configuring the Active Directory Agent
1.
Before installing and configuring the Active Directory Agent, carefully read the documentation for
the Active Directory Agent:
the Active Directory Agent:
–
Installation and any other release notes for Active Directory Agent:
http://www.cisco.com/en/US/products/ps6120/prod_release_notes_list.html
–
Installation and Setup Guide for the Active Directory Agent:
http://www.cisco.com/en/US/products/ps6120/prod_installation_guides_list.html
2.
Verify that your environment meets all requirements for installation and use, including the supported
Active Directory versions and all preinstallation requirements in the Active Directory Agent
documentation.
Active Directory versions and all preinstallation requirements in the Active Directory Agent
documentation.
3.
Download the Cisco Active Directory Agent: Go to http://www.cisco.com and search for
“AD_Agent”.
“AD_Agent”.
4.
Install the Active Directory Agent on a machine on the network that is accessible to the Web
Security appliance and can communicate with all Windows domain controllers in the forest. For best
performance, this machine should be as close as possible to the Web Security appliance on the
network. Be sure to follow installation instructions in the Active Directory Agent documentation.
Security appliance and can communicate with all Windows domain controllers in the forest. For best
performance, this machine should be as close as possible to the Web Security appliance on the
network. Be sure to follow installation instructions in the Active Directory Agent documentation.
5.
From the Active Directory Agent command line prompt, add your Active Directory server to the
Active Directory Agent as a Domain Controller using the
Active Directory Agent as a Domain Controller using the
adacfg dc create
command.
6.
From the Active Directory Agent command line prompt, add the Web Security appliance to the
Active Directory Agent as a client using the
Active Directory Agent as a client using the
adacfg client create
command.
7.
Optionally, you can verify the server and client were successfully added using the
adacfg dc list
and
adacfg client list
commands.
8.
Record the shared secret configured during the Active Directory Agent installation. You must enter
the shared secret on the Web Security appliance when you configure the NTLM authentication
realm.
the shared secret on the Web Security appliance when you configure the NTLM authentication
realm.
Note
The Web Security appliance and the Active Directory Agent communicate with each other using the
RADIUS protocol. The appliance and the agent must be configured with the same shared secret to
obfuscate user passwords. Other user attributes are not obfuscated.
RADIUS protocol. The appliance and the agent must be configured with the same shared secret to
obfuscate user passwords. Other user attributes are not obfuscated.
Transparent User Identification with Novell eDirectory
AsyncOS for Web communicates with the Novell eDirectory Server to maintain an IP address to user
name mapping. When a user logs into a client machine through the Novell Client, Novell Client
authenticates the user against the Novell eDirectory Server. When authentication succeeds, the client
machine IP address is recorded in the Novell eDirectory Server as an attribute (NetworkAddress field)
of the user who logged into the workstation.
name mapping. When a user logs into a client machine through the Novell Client, Novell Client
authenticates the user against the Novell eDirectory Server. When authentication succeeds, the client
machine IP address is recorded in the Novell eDirectory Server as an attribute (NetworkAddress field)
of the user who logged into the workstation.
Consider the following rules and guidelines when you identify users transparently using Novell
eDirectory:
eDirectory:
•
Novell Client must be installed on each client machine, and end users must use it to authenticate
against a Novell eDirectory server.
against a Novell eDirectory server.
•
The Novell LDAP tree used by the Novell client login must be the same LDAP tree configured in
the authentication realm.
the authentication realm.
•
If the Novell clients use multiple Novell LDAP trees, create an authentication realm for each tree,
and then create an authentication sequence that uses each Novell LDAP authentication realm.
and then create an authentication sequence that uses each Novell LDAP authentication realm.