Cisco Cisco Web Security Appliance S690 사용자 가이드
7-7
Cisco IronPort AsyncOS 7.1 for Web User Guide
OL-23207-01
Chapter 7 Identities
Evaluating Identity Group Membership
authenticate the user, depending on how you configure the HTTPS Proxy.
Use the HTTPS Transparent Request setting on the Security Services >
HTTPS Proxy page to define this behavior.
Use the HTTPS Transparent Request setting on the Security Services >
HTTPS Proxy page to define this behavior.
For a diagram of how this occurs, see
.
•
Cookie-based authentication surrogates and transparent requests. When
the appliance uses cookie-based authentication, the Web Proxy does not get
cookie information from clients for HTTPS and FTP over HTTP requests.
Therefore, it cannot get the user name from the cookie. In this situation,
HTTPS and FTP over HTTP requests still match the Identity group according
to the other membership criteria, but the Web Proxy does not prompt clients
for authentication even if the Identity group requires authentication. Instead,
the Web Proxy sets the user name to NULL and considers the user as
unauthenticated. Then, when the unauthenticated request is evaluated against
the non-Identity policy groups, it matches only non-Identity groups that
specify “All Identities” and apply to “All Users.” Typically, this is the global
policy, such as the global Access Policy. For a diagram of how this occurs,
see
the appliance uses cookie-based authentication, the Web Proxy does not get
cookie information from clients for HTTPS and FTP over HTTP requests.
Therefore, it cannot get the user name from the cookie. In this situation,
HTTPS and FTP over HTTP requests still match the Identity group according
to the other membership criteria, but the Web Proxy does not prompt clients
for authentication even if the Identity group requires authentication. Instead,
the Web Proxy sets the user name to NULL and considers the user as
unauthenticated. Then, when the unauthenticated request is evaluated against
the non-Identity policy groups, it matches only non-Identity groups that
specify “All Identities” and apply to “All Users.” Typically, this is the global
policy, such as the global Access Policy. For a diagram of how this occurs,
see
.
•
Cookie-based authentication surrogates and explicit requests. The
behavior is different, depending on whether or not credential encryption is
enabled:
behavior is different, depending on whether or not credential encryption is
enabled:
–
Credential encryption enabled. The behavior is the same as
cookie-based authentication with transparent requests, as described
previously.
cookie-based authentication with transparent requests, as described
previously.
–
Credential encryption disabled. The Web Proxy uses no surrogates.
HTTPS and FTP over HTTP requests are authenticated and matched to
Identity groups like HTTP requests. For a diagram of how this occurs, see
HTTPS and FTP over HTTP requests are authenticated and matched to
Identity groups like HTTP requests. For a diagram of how this occurs, see
.