Cisco Cisco Web Security Appliance S170 사용자 가이드
H O W W E B P R O X Y D E P L O Y M E N T A F F E C T S A U T H E N T I C A T I O N
C H A P T E R 1 6 : A U T H E N T I C A T I O N
339
Table 16-2 describes the differences between Basic and NTLMSSP authentication schemes.
How Web Proxy Deployment Affects Authentication
The Web Proxy communicates with clients and authentication servers differently depending
on the type of Web Proxy deployment and the authentication protocol.
on the type of Web Proxy deployment and the authentication protocol.
Table 16-3 lists the possible methods of authentication for the various authentication
protocols and deployment type.
protocols and deployment type.
Table 16-2 Basic versus NTLMSSP Authentication Schemes
Authentication
Scheme
Scheme
User Experience
Security
Basic
The client always prompts users for
credentials. After the user enters
credentials, browsers typically offer a
check box to remember the provided
credentials. Each time the user opens
the browser, the client either prompts
for credentials or resends the
previously saved credentials.
credentials. After the user enters
credentials, browsers typically offer a
check box to remember the provided
credentials. Each time the user opens
the browser, the client either prompts
for credentials or resends the
previously saved credentials.
Credentials are sent unsecured as clear
text (Base64). A packet capture
between the client and Web Security
appliance can reveal the user name
and password.
Note: You can configure the Web
Security appliance so clients send
authentication credentials securely. For
more information, see “Sending
Authentication Credentials Securely”
on page 363.
text (Base64). A packet capture
between the client and Web Security
appliance can reveal the user name
and password.
Note: You can configure the Web
Security appliance so clients send
authentication credentials securely. For
more information, see “Sending
Authentication Credentials Securely”
on page 363.
NTLMSSP
The client transparently authenticates
by using its Windows login credentials.
The user is not prompted for
credentials.
However, the client prompts the user
for credentials under the following
circumstances:
• The Windows credentials failed.
• The client does not trust the Web
by using its Windows login credentials.
The user is not prompted for
credentials.
However, the client prompts the user
for credentials under the following
circumstances:
• The Windows credentials failed.
• The client does not trust the Web
Security appliance because of
browser security settings.
browser security settings.
Credentials are sent securely using a
three-way handshake (digest style
authentication). The password is never
sent across the connection.
For more information on the three-way
handshake, see “Explicit Forward
Deployment, NTLM Authentication”
on page 342.
three-way handshake (digest style
authentication). The password is never
sent across the connection.
For more information on the three-way
handshake, see “Explicit Forward
Deployment, NTLM Authentication”
on page 342.
Table 16-3 Methods of Authentication
Web Proxy
Deployment
Deployment
Client to Web Security
Appliance
Appliance
Web Security Appliance to
Authentication Server
Authentication Server
Explicit forward
Basic
LDAP or NTLM Basic
Transparent
Basic
LDAP or NTLM Basic