Cisco Cisco Web Security Appliance S170 사용자 가이드
E X A M P L E I D E N T I T Y P O L I C I E S T A B L E S
C H A P T E R 7 : I D E N T I T I E S
145
E X A M P L E I D E N T I T Y PO L I C I E S TA B L E S
This section shows some sample Identity groups defined in an Identity policies table and
describes how the Web Proxy evaluates different client requests using each Identity policies
table.
describes how the Web Proxy evaluates different client requests using each Identity policies
table.
Example 1
Table 7-3 shows an Identity policies table with three user defined Identity groups. The first
Identity group applies to a particular subnet and does not require authentication. The second
Identity group applies to all subnets and requests for URLs in the “Proxies & Translators”
category, and requires authentication on RealmA. The third Identity group applies to all
subnets, has no advanced options defined, and requires authentication on RealmA. The
global Identity policy applies to all subnets (by definition) and does not require
authentication.
Identity group applies to a particular subnet and does not require authentication. The second
Identity group applies to all subnets and requests for URLs in the “Proxies & Translators”
category, and requires authentication on RealmA. The third Identity group applies to all
subnets, has no advanced options defined, and requires authentication on RealmA. The
global Identity policy applies to all subnets (by definition) and does not require
authentication.
The Web Proxy matches client requests to Identity groups in this scenario differently,
depending on the client’s subnet and the URL category of the request:
depending on the client’s subnet and the URL category of the request:
• Any client on subnet 10.1.1.1 for any URL. When a client on subnet 10.1.1.1 sends a
request for any URL, the Web Proxy evaluates the first Identity group and determines that
the client subnet matches the first Identity group subnet. Then it determines that no
authentication is required and no advanced options are configured, so it assigns the first
Identity group to the transaction.
the client subnet matches the first Identity group subnet. Then it determines that no
authentication is required and no advanced options are configured, so it assigns the first
Identity group to the transaction.
• Any client on a subnet other than 10.1.1.1 for URLs in the “Proxies & Translators” URL
category. When a client on a subnet other than 10.1.1.1 sends a request for a URL in the
“Proxies & Translators” category, the Web Proxy evaluates the first Identity group and
determines that the client subnet is not listed in the first Identity group’s list of subnets.
Therefore, it evaluates the second Identity group, and then determines that the client
subnet is listed in the second Identity group’s list of subnets. Then it determines that the
URL in the request matches the URL category in the second Identity group’s advanced
“Proxies & Translators” category, the Web Proxy evaluates the first Identity group and
determines that the client subnet is not listed in the first Identity group’s list of subnets.
Therefore, it evaluates the second Identity group, and then determines that the client
subnet is listed in the second Identity group’s list of subnets. Then it determines that the
URL in the request matches the URL category in the second Identity group’s advanced
Table 7-3 Policies Table Example 1
Order
Subnet(s)
Authentication
Required?
Required?
Realm or
Sequence
Sequence
Advanced
Options
Options
1
10.1.1.1
No
N/A
none
2
All
Yes
RealmA
URL Category is
“Proxies &
Translators”
“Proxies &
Translators”
3
All
Yes
RealmA
none
Global Identity
policy
policy
All
(by default)
(by default)
No
N/A
N/A (none by
default)
default)