Cisco Cisco Web Security Appliance S170 사용자 가이드
9-25
Cisco IronPort AsyncOS 7.5.7 for Web User Guide
Chapter 9 Identities
Example Identity Policies Tables
•
Any client on a subnet other than 10.1.1.1 for any URL not in the “Proxies & Translators” URL
category. When a client on a subnet other than 10.1.1.1 sends a request for a URL, the Web Proxy
evaluates the first Identity group and determines that the client subnet is not listed in the first Identity
group’s list of subnets. Therefore, it evaluates the second Identity group, and then determines that
the client subnet is listed in the second Identity group’s list of subnets. Then it determines that the
URL in the request does not match the URL category in the second Identity group’s advanced
section. Therefore, it evaluates the third Identity group, and then determines that the client subnet
is listed in the third Identity group’s list of subnets. The third Identity group does not have any
advanced options configured, so continues to compare against authentication requirements. Then it
determines that the third Identity group requires authentication, so it tries to authenticate the user
against the authentication server(s) defined in RealmA. If the user exists in RealmA, the Web Proxy
assigns the third Identity group to the transaction. If the user does not exist in RealmA, the Web
Proxy terminates the client request because the client failed authentication.
category. When a client on a subnet other than 10.1.1.1 sends a request for a URL, the Web Proxy
evaluates the first Identity group and determines that the client subnet is not listed in the first Identity
group’s list of subnets. Therefore, it evaluates the second Identity group, and then determines that
the client subnet is listed in the second Identity group’s list of subnets. Then it determines that the
URL in the request does not match the URL category in the second Identity group’s advanced
section. Therefore, it evaluates the third Identity group, and then determines that the client subnet
is listed in the third Identity group’s list of subnets. The third Identity group does not have any
advanced options configured, so continues to compare against authentication requirements. Then it
determines that the third Identity group requires authentication, so it tries to authenticate the user
against the authentication server(s) defined in RealmA. If the user exists in RealmA, the Web Proxy
assigns the third Identity group to the transaction. If the user does not exist in RealmA, the Web
Proxy terminates the client request because the client failed authentication.
Note that in this scenario, most client requests will never match the global Identity group because of the
user defined Identity group (the third group) that applies to all subnets, has no advanced options, and
requires authentication. Any client on the network that does not match the first or second Identity group
will match the third Identity group. The exception to this is for HTTPS requests when the appliance is
in transparent mode with cookie-based authentication. Any client on a subnet other than 10.1.1.1 will
match the global Identity group even though it requires authentication.
user defined Identity group (the third group) that applies to all subnets, has no advanced options, and
requires authentication. Any client on the network that does not match the first or second Identity group
will match the third Identity group. The exception to this is for HTTPS requests when the appliance is
in transparent mode with cookie-based authentication. Any client on a subnet other than 10.1.1.1 will
match the global Identity group even though it requires authentication.
Example 2
shows a policies table with two user defined Identity groups. The first Identity group applies
to all subnets, requires authentication, and specifies RealmA for authentication. The second Identity
group applies to all subnets, requires authentication, and specifies RealmB for authentication. Neither
Identity group has any advanced option configured. The global Identity group applies to all subnets,
requires authentication, and specifies the All Realms sequence for authentication.
group applies to all subnets, requires authentication, and specifies RealmB for authentication. Neither
Identity group has any advanced option configured. The global Identity group applies to all subnets,
requires authentication, and specifies the All Realms sequence for authentication.
In this scenario, when a client sends a request for a URL, the Web Proxy evaluates the first Identity group
and determines that the Identity group applies to all subnets and has no advanced options configured. It
determines that the Identity group requires authentication and that the only realm specified in the
Identity group is RealmA. Therefore, in order for a client on any subnet to pass authentication, it must
exist in RealmA.
and determines that the Identity group applies to all subnets and has no advanced options configured. It
determines that the Identity group requires authentication and that the only realm specified in the
Identity group is RealmA. Therefore, in order for a client on any subnet to pass authentication, it must
exist in RealmA.
When a client that exists in RealmA sends a request for a URL, the client passes authentication and the
Web Proxy assigns the first Identity group to the transaction. When a client that does not exist in RealmA
sends a request for a URL, the client fails authentication and the Web Proxy terminates the request.
Web Proxy assigns the first Identity group to the transaction. When a client that does not exist in RealmA
sends a request for a URL, the client fails authentication and the Web Proxy terminates the request.
Table 9-4
Policies Table Example 2
Order
Subnet(s)
Authentication
Required?
Required?
Realm or
Sequence
Sequence
Advanced Options
1
All
Yes
RealmA
none
2
All
Yes
RealmB
none
Global Identity
policy
policy
All
Yes
All Realms
N/A (none by default)