Cisco Cisco Web Security Appliance S170 사용자 가이드
20-17
Cisco IronPort AsyncOS 7.7 for Web User Guide
Chapter 20 Authentication
Authentication Realm Testing
2.
If the client provides NTLMSSP credentials, and if the sequence has an NTLM realm selected in the
“Realm for NTLMSSP Scheme” field, the appliance attempts to authenticate the client against the
authentication server(s) defined in the specified NTLM realm.
“Realm for NTLMSSP Scheme” field, the appliance attempts to authenticate the client against the
authentication server(s) defined in the specified NTLM realm.
3.
If the client provides Basic credentials, the appliance attempts to authenticate the client against the
authentication server(s) defined in the first realm in the “Realm Sequence for Basic Scheme”
section.
authentication server(s) defined in the first realm in the “Realm Sequence for Basic Scheme”
section.
4.
If the Basic client credentials do not match a user in the servers defined in the first Basic realm, it
tries to authenticate against the authentication server(s) in the next Basic realm in the sequence.
tries to authenticate against the authentication server(s) in the next Basic realm in the sequence.
5.
The appliance continues trying to authenticate the client against servers in the next Basic realms
until it either succeeds or runs out of authentication realms.
until it either succeeds or runs out of authentication realms.
6.
When authentication succeeds, the appliance assigns an Access Policy, and passes the server
response to the client.
response to the client.
7.
When the appliance fails to authenticate the client against any authentication realm in the sequence,
the appliance does not allow the client to connect to the destination server. Instead, it displays an
error message to the client.
the appliance does not allow the client to connect to the destination server. Instead, it displays an
error message to the client.
Tip
For optimal performance, configure clients on a subnet to be authenticated in a single realm.
Authentication Realm Testing
When you test authentication settings, the Web Security appliance first verifies that the settings you
entered for the realm are in valid formats. For example, if a field requires a string and it currently
contains a numeric value, the appliance informs you of that error.
entered for the realm are in valid formats. For example, if a field requires a string and it currently
contains a numeric value, the appliance informs you of that error.
If all fields contain valid values, the appliance performs different steps, depending on the authentication
protocol. If the realm contains multiple authentication servers, the appliance goes through the testing
process for each server in turn.
protocol. If the realm contains multiple authentication servers, the appliance goes through the testing
process for each server in turn.
The appliance continues testing all servers in the realm and determines as many failures as possible for
each server. It reports the testing outcome of each server in the realm.
each server. It reports the testing outcome of each server in the realm.
LDAP Testing
The appliance performs the following steps when you test LDAP authentication settings:
1.
It ensures that the LDAP server is listening on the specified LDAP port.
2.
If Secure LDAP is selected, the appliance ensures the LDAP server supports secure LDAP.
3.
It performs an LDAP query using the supplied Base DN, User Name Attribute, and User Filter
Query.
Query.
4.
If the realm includes Bind Parameters, the appliance validates them by forming an LDAP query with
the Bind Parameters.
the Bind Parameters.
5.
If Group Authorization is provided, the appliance ensures that the specified group attributes are
valid by fetching the groups from the server.
valid by fetching the groups from the server.