Cisco Cisco Web Security Appliance S170 사용자 가이드
5-14
AsyncOS 9.0.1 for Cisco Web Security Appliances User Guide
Chapter 5 Acquire End-User Credentials
Authentication Realms
What to Do Next
•
Create an Identification Profile that uses the Kerberos authentication scheme.
How to Create an Active Directory Authentication Realm (NTLMSSP and Basic)
Prerequisites for Creating an Active Directory Authentication Realm (NTLMSSP and Basic)
•
Ensure you have the rights and domain information needed to join the Web Security appliance to the
Active Directory domain you wish to authenticate against.
Active Directory domain you wish to authenticate against.
•
If you plan to use “domain” as the NTLM security mode, use only nested Active Directory groups.
If Active Directory groups are not nested, use the default value, “ads”. See
If Active Directory groups are not nested, use the default value, “ads”. See
the Command Line Interface appendix of this guide.
•
Compare the current time on the Web Security appliance with the current time on the Active
Directory server and verify that the difference is no greater than the time specified in the “Maximum
tolerance for computer clock synchronization” option on the Active Directory server.
Directory server and verify that the difference is no greater than the time specified in the “Maximum
tolerance for computer clock synchronization” option on the Active Directory server.
•
If the Web Security appliance is managed by a Security Management appliance, be prepared to
ensure that same-named authentication realms on different Web Security appliances have identical
properties defined on each appliance.
ensure that same-named authentication realms on different Web Security appliances have identical
properties defined on each appliance.
•
Be aware that once you commit the new realm, you cannot change a realm’s authentication protocol.
•
For NTLMSSP, single sign on (SSO) can be configured on client browsers. See
About Using Multiple NTLM Realms and Domains
The following rules apply in regard to using multiple NTLM realms and domains:
•
You can create up to 10 NTLM authentication realms.
•
The client IP addresses in one NTLM realm must not overlap with the client IP addresses in another
NTLM realm.
NTLM realm.
•
Each NTLM realm can join one Active Directory domain only but can authenticate users from any
domains trusted by that domain. This trust applies to other domains in the same forest by default and
to domains outside the forest to which at least a one way trust exists.
domains trusted by that domain. This trust applies to other domains in the same forest by default and
to domains outside the forest to which at least a one way trust exists.
•
Create additional NTLM realms to authenticate users in domains that are not trusted by existing
NTLM realms.
NTLM realms.
Creating an Active Directory Authentication Realm (NTLMSSP and Basic)
Step 1
Choose Network > Authentication.
Step 2
Click Add Realm.
Step 3
Assign a unique name to the authentication realm using only alphanumeric and space characters.
Step 4
Select Active Directory in the Authentication Protocol and Scheme(s) field.
Step 5
Enter up to three fully-qualified domain names or IP addresses for the Active Directory server(s).
Example:
active.example.com
.