Cisco Cisco Web Security Appliance S170 사용자 가이드
146
I R O N P O R T A S Y N C O S 6 . 3 F O R W E B U S E R G U I D E
section. Then it determines that the second Identity group requires authentication, so it
tries to authenticate the user against the authentication server(s) defined in RealmA. If the
user exists in RealmA, the Web Proxy assigns the second Identity group to the transaction.
If the user does not exist in RealmA, AsyncOS terminates the client request because the
client failed authentication.
tries to authenticate the user against the authentication server(s) defined in RealmA. If the
user exists in RealmA, the Web Proxy assigns the second Identity group to the transaction.
If the user does not exist in RealmA, AsyncOS terminates the client request because the
client failed authentication.
• Any client on a subnet other than 10.1.1.1 for any URL not in the “Proxies &
Translators” URL category. When a client on a subnet other than 10.1.1.1 sends a request
for a URL, the Web Proxy evaluates the first Identity group and determines that the client
subnet is not listed in the first Identity group’s list of subnets. Therefore, it evaluates the
second Identity group, and then determines that the client subnet is listed in the second
Identity group’s list of subnets. Then it determines that the URL in the request does not
match the URL category in the second Identity group’s advanced section. Therefore, it
evaluates the third Identity group, and then determines that the client subnet is listed in
the third Identity group’s list of subnets. The third Identity group does not have any
advanced options configured, so continues to compare against authentication
requirements. Then it determines that the third Identity group requires authentication, so it
tries to authenticate the user against the authentication server(s) defined in RealmA. If the
user exists in RealmA, the Web Proxy assigns the third Identity group to the transaction. If
the user does not exist in RealmA, the Web Proxy terminates the client request because
the client failed authentication.
for a URL, the Web Proxy evaluates the first Identity group and determines that the client
subnet is not listed in the first Identity group’s list of subnets. Therefore, it evaluates the
second Identity group, and then determines that the client subnet is listed in the second
Identity group’s list of subnets. Then it determines that the URL in the request does not
match the URL category in the second Identity group’s advanced section. Therefore, it
evaluates the third Identity group, and then determines that the client subnet is listed in
the third Identity group’s list of subnets. The third Identity group does not have any
advanced options configured, so continues to compare against authentication
requirements. Then it determines that the third Identity group requires authentication, so it
tries to authenticate the user against the authentication server(s) defined in RealmA. If the
user exists in RealmA, the Web Proxy assigns the third Identity group to the transaction. If
the user does not exist in RealmA, the Web Proxy terminates the client request because
the client failed authentication.
Note that in this scenario, most client requests will never match the global Identity group
because of the user defined Identity group (the third group) that applies to all subnets, has no
advanced options, and requires authentication. Any client on the network that does not match
the first or second Identity group will match the third Identity group. The exception to this is
for HTTPS requests when the appliance is in transparent mode with cookie-based
authentication. Any client on a subnet other than 10.1.1.1 will match the global Identity
group even though it requires authentication.
because of the user defined Identity group (the third group) that applies to all subnets, has no
advanced options, and requires authentication. Any client on the network that does not match
the first or second Identity group will match the third Identity group. The exception to this is
for HTTPS requests when the appliance is in transparent mode with cookie-based
authentication. Any client on a subnet other than 10.1.1.1 will match the global Identity
group even though it requires authentication.
Example 2
Table 7-4 shows a policies table with two user defined Identity groups. The first Identity group
applies to all subnets, requires authentication, and specifies RealmA for authentication. The
second Identity group applies to all subnets, requires authentication, and specifies RealmB for
authentication. Neither Identity group has any advanced option configured. The global
Identity group applies to all subnets, requires authentication, and specifies the All Realms
sequence for authentication.
applies to all subnets, requires authentication, and specifies RealmA for authentication. The
second Identity group applies to all subnets, requires authentication, and specifies RealmB for
authentication. Neither Identity group has any advanced option configured. The global
Identity group applies to all subnets, requires authentication, and specifies the All Realms
sequence for authentication.
Table 7-4 Policies Table Example 2
Order
Subnet(s)
Authentication
Required?
Required?
Realm or
Sequence
Sequence
Advanced
Options
Options
1
All
Yes
RealmA
none
2
All
Yes
RealmB
none