Cisco Cisco Web Security Appliance S170 사용자 가이드
21-15
Cisco IronPort AsyncOS 7.5.7 for Web User Guide
Chapter 21 Authentication
Testing Authentication Settings
When you assign an authentication sequence with multiple realms to a policy group and a client sends a
content request, the appliance performs the following actions:
content request, the appliance performs the following actions:
Step 1
The appliance gets the credentials from the client.
Step 2
The appliance attempts to authenticate the client against the authentication server(s) defined in the first
realm in the sequence.
realm in the sequence.
Step 3
If the client credentials do not match a user in the servers defined in the first realm, it tries to authenticate
against the authentication server(s) in the next realm in the sequence.
against the authentication server(s) in the next realm in the sequence.
Step 4
The appliance continues trying to authenticate the client against servers in the next realms until it either
succeeds or runs out of authentication realms.
succeeds or runs out of authentication realms.
Step 5
When authentication succeeds, the appliance passes the content response to the client.
Step 6
When the appliance fails to authenticate the client against any authentication realm in the sequence, the
appliance does not allow the client to connect to the destination server. Instead, it displays an error
message to the client.
appliance does not allow the client to connect to the destination server. Instead, it displays an error
message to the client.
Tip: For optimal performance, configure clients on a subnet to be authenticated in a single realm.
Testing Authentication Settings
When you create or edit an authentication realm, you enter a lot of configuration settings to connect to
the authentication server. You can test the settings you enter before submitting the changes to verify you
entered the connection information correctly.
the authentication server. You can test the settings you enter before submitting the changes to verify you
entered the connection information correctly.
You can test authentication setting from either the CLI or the web interface:
•
Web interface. Use Start Test when you create or edit an authentication realm. For more
information, see
information, see
.
•
CLI command. Use the
testauthconfig
command. For more information, see
.
Testing Process
When you test authentication settings, the Web Security appliance first verifies that the settings you
entered for the realm are in valid formats. For example, if a field requires a string and it currently
contains a numeric value, the appliance informs you of that error.
entered for the realm are in valid formats. For example, if a field requires a string and it currently
contains a numeric value, the appliance informs you of that error.
If all fields contain valid values, the appliance performs different steps, depending on the authentication
protocol. If the realm contains multiple authentication servers, the appliance goes through the testing
process for each server in turn.
protocol. If the realm contains multiple authentication servers, the appliance goes through the testing
process for each server in turn.
The appliance continues testing all servers in the realm and determines as many failures as possible for
each server. It reports the testing outcome of each server in the realm.
each server. It reports the testing outcome of each server in the realm.
LDAP Testing
The appliance performs the following steps when you test LDAP authentication settings:
Step 1
It ensures that the LDAP server is listening on the specified LDAP port.