Cisco Cisco Web Security Appliance S170 사용자 가이드
7-8
Cisco IronPort AsyncOS 7.7 for Web User Guide
Chapter 7 Policies
Policy Group Membership
Authentication is the mechanism by which the Web Proxy securely identifies a user. It answers the
following questions:
following questions:
•
Who is the user?
•
Is the user really whom he/she claims to be?
Authorization is the mechanism by which the Web Proxy determines the level of access the user has to
the World Wide Web. It answers the following questions:
the World Wide Web. It answers the following questions:
•
Is this user allowed to view this website?
•
Is this user allowed to connect to this HTTPS server without the connection being decrypted?
•
Is this user allowed to directly connect to the web server, or must it connect to another proxy server
first?
first?
•
Is this user allowed to upload this data?
The Web Proxy can only authorize a user to access an Internet resource after it authenticates who the
user is. The Web Proxy authenticates users when it evaluates Identity groups, and it authorizes users
when it evaluates all other policy group types. What that means is the Identity group indicates who is
making the request, but does not indicate whether that client is allowed to make the request.
user is. The Web Proxy authenticates users when it evaluates Identity groups, and it authorizes users
when it evaluates all other policy group types. What that means is the Identity group indicates who is
making the request, but does not indicate whether that client is allowed to make the request.
By separating authentication from authorization, you can create a single Identity group that identifies a
group of users and then you can create multiple policy groups that allow different levels of access to
subsets of users in the group in the Identity.
group of users and then you can create multiple policy groups that allow different levels of access to
subsets of users in the group in the Identity.
For example, you can create one Identity group that covers all users in an authentication sequence. Then
you can create an Access Policy group for each authentication realm in the sequence. You can also use
this Identity to create one Decryption Policy with the same level of access for all users in the Identity.
you can create an Access Policy group for each authentication realm in the sequence. You can also use
this Identity to create one Decryption Policy with the same level of access for all users in the Identity.
Working with Failed Authentication and Authorization
You can allow users another opportunity to access the web if they fail authentication or authorization.
How you configure the Web Security appliance depends on what fails:
How you configure the Web Security appliance depends on what fails:
•
Authentication. When authentication fails, you can grant guest access to the user. Authentication
might fail under the following circumstances:
might fail under the following circumstances:
–
A new hire has been provided credentials in an email but they are not yet populated in the
authentication server.
authentication server.
–
A visitor comes to the office and needs to be granted restrictive Internet access, but is not in the
corporate user directory.
corporate user directory.
For more information on configuring guest access, see
.
•
Authorization. A user might authenticate correctly, but not be granted access to the web due to the
applicable Access Policy. In this case, you can allow the user to re-authenticate with more privileged
credentials. To do this, enable the “Enable Re-Authentication Prompt If End User Blocked by URL
Category or User Session Restriction” global authentication setting. For more information, see
applicable Access Policy. In this case, you can allow the user to re-authenticate with more privileged
credentials. To do this, enable the “Enable Re-Authentication Prompt If End User Blocked by URL
Category or User Session Restriction” global authentication setting. For more information, see
.