Cisco Cisco Web Security Appliance S170 사용자 가이드
21-8
Cisco IronPort AsyncOS 7.5.7 for Web User Guide
Chapter 21 Authentication
Understanding How Authentication Works
Transparent Deployment, Basic Authentication
The 407 HTTP response “Proxy Authentication Required” is allowed from proxy servers only. However,
when the Web Proxy is deployed in transparent mode, its existence is hidden from client applications on
the network. Therefore, the Web Proxy cannot return a 407 response.
when the Web Proxy is deployed in transparent mode, its existence is hidden from client applications on
the network. Therefore, the Web Proxy cannot return a 407 response.
To address this problem, the authentication process comprises these steps:
Step 1
Client sends a request to a web page and the Web Proxy transparently intercepts it.
Step 2
Web Proxy uses a 307 HTTP response to redirect the client to the Web Proxy which masquerades as a
local web server.
local web server.
Note
This transaction is recorded in the access logs with “TCP_DENIED/307”.
Step 3
Client sends a request to the redirected URL.
Step 4
Web Proxy sends a 401 HTTP response “Authorization required.”
Step 5
User is prompted for credentials and enters them.
Step 6
Client sends the request again, but this time with the credentials in an “Authorization” HTTP header.
Step 7
Web Proxy confirms the credentials, tracks the user by IP address or with a cookie, and then redirects
the client to the originally requested server.
the client to the originally requested server.
Note
You can configure the Web Proxy to use either IP addresses or cookies to track authenticated
users.
users.
Step 8
If the client requests the original web page again, the Web Proxy transparently intercepts the request,
confirms the user by IP address or cookie, and returns the requested page.
confirms the user by IP address or cookie, and returns the requested page.
Note
If the client tries to connect to another web page and the Web Proxy tracked the user by IP address, the
Web Proxy confirms the user by IP address and returns the requested page.
Web Proxy confirms the user by IP address and returns the requested page.
lists advantages and disadvantages of using transparent Basic authentication and IP-based
credential caching.
Table 21-5
Pros and Cons of Transparent Basic Authentication—IP Caching
Advantages
Disadvantages
•
Works with all major browsers
•
With user agents that do not support
authentication, users only need to authenticate
first in a supported browser
authentication, users only need to authenticate
first in a supported browser
•
Relatively low overhead
•
Works for HTTPS requests if the user has
previously authenticated with an HTTP
request
previously authenticated with an HTTP
request
•
Authentication credentials are associated with
the IP address, not the user (does not work in
Citrix and RDP environments, or if the user
changes IP address)
the IP address, not the user (does not work in
Citrix and RDP environments, or if the user
changes IP address)
•
No single sign-on
•
Password is sent as clear text (Base64)