Cisco Cisco Web Security Appliance S370 사용자 가이드
5-12
AsyncOS 8.8 for Cisco Web Security Appliances User Guide
Chapter 5 Acquire End-User Credentials
Authentication Realms
Creating an Active Directory Realm for Kerberos Authentication Scheme
Before You Begin
•
Ensure the appliance is configured in Standard mode (not Cloud Connector Mode).
•
Prepare the Active Directory Server.
–
Install Active Directory on one of these servers: Windows server 2003, 2008, 2008R2 or 2012.
–
Create a user on the Active Directory server that is a member of the domain administrators.
–
Join your client to the domain. Supported clients are Windows XP, Windows 7 and
Mac OS 10.5+.
Mac OS 10.5+.
–
Use the kerbtray tool from the Windows Resource Kit to verify the Kerberos ticket on the client:
http://www.microsoft.com/en-us/download/details.aspx?id=17657 .
http://www.microsoft.com/en-us/download/details.aspx?id=17657 .
–
Ticket viewer application on Mac clients is available under main menu > KeyChain Access to
view the Kerberos tickets.
view the Kerberos tickets.
•
Ensure you have the rights and domain information needed to join the Web Security appliance to the
Active Directory domain you wish to authenticate against.
Active Directory domain you wish to authenticate against.
•
Compare the current time on the Web Security appliance with the current time on the Active
Directory server and verify that the difference is no greater than the time specified in the “Maximum
tolerance for computer clock synchronization” option on the Active Directory server.
Directory server and verify that the difference is no greater than the time specified in the “Maximum
tolerance for computer clock synchronization” option on the Active Directory server.
•
If the Web Security appliance is managed by a Security Management appliance, be prepared to
ensure that same-named authentication realms on different Web Security appliances have identical
properties defined on each appliance.
ensure that same-named authentication realms on different Web Security appliances have identical
properties defined on each appliance.
•
Web Security appliance configuration:
–
In explicit mode, the WSA host name (CLI command
) and the proxy name
configured in the browser must be the same.
–
In transparent mode, the WSA host name must be the same as the Redirect Hostname (see
). Further, the WSA host name and
Redirect Hostname must be configured prior to creating a Kerberos realm.
•
Be aware that once you commit the new realm, you cannot change a realm’s authentication protocol.
•
Note that single sign on (SSO) must be configured on client browsers; see
Step 1
In the Cisco Web Security Appliance web interface, choose Network > Authentication.
Step 2
Click Add Realm.
Step 3
Assign a unique name to the authentication realm using only alphanumeric and space characters.
Step 4
Select Active Directory in the Authentication Protocol field.
Step 5
Enter up to three fully-qualified domain names or IP addresses for the Active Directory server(s).
Example:
ntlm.example.com
.
An IP address is required only if the DNS servers configured on the appliance cannot resolve the Active
Directory server hostname.
Directory server hostname.
When multiple authentication servers are configured in the realm, the appliance attempts to authorize
with up to three authentication servers before failing to authorize the transaction within this realm.
with up to three authentication servers before failing to authorize the transaction within this realm.