Cisco Cisco Web Security Appliance S170 Guia Do Utilizador
21-25
Cisco IronPort AsyncOS 7.5.7 for Web User Guide
Chapter 21 Authentication
Sending Authentication Credentials Securely
Step 5
Submit and commit your changes.
Sending Authentication Credentials Securely
When authentication is used to identify clients using the Web, the client applications send the
authentication credentials to the Web Proxy, which in turn passes them to the authentication server. How
the credentials are passed from the clients to the Web Proxy depends on the authentication scheme used:
authentication credentials to the Web Proxy, which in turn passes them to the authentication server. How
the credentials are passed from the clients to the Web Proxy depends on the authentication scheme used:
•
NTLMSSP. The credentials are always passed to the Web Proxy securely. They are encrypted using
a key specified by the Active Directory server and sent over HTTP.
a key specified by the Active Directory server and sent over HTTP.
•
Basic. By default, the credentials are passed to the Web Proxy insecurely. They are encoded, but not
encrypted, and sent over HTTP. However, you can configure the Web Security appliance so clients
send authentication credentials securely. This works for both LDAP and NTLM Basic
authentication.
encrypted, and sent over HTTP. However, you can configure the Web Security appliance so clients
send authentication credentials securely. This works for both LDAP and NTLM Basic
authentication.
When you configure the appliance to use credential encryption for Basic authentication, the Web Proxy
redirects the client back to the Web Proxy, but this time using an encrypted connection using HTTPS.
The client application makes either a GET or a CONNECT request depending on how the requests are
forwarded to the appliance (explicitly or transparently) and how the client application is configured to
forward HTTPS requests, either using the Web Proxy or not.
redirects the client back to the Web Proxy, but this time using an encrypted connection using HTTPS.
The client application makes either a GET or a CONNECT request depending on how the requests are
forwarded to the appliance (explicitly or transparently) and how the client application is configured to
forward HTTPS requests, either using the Web Proxy or not.
User Session
Restrictions
Restrictions
This setting specifies whether or not authenticated users are allowed to
access the Internet from multiple IP addresses simultaneously.
access the Internet from multiple IP addresses simultaneously.
You might want to restrict access to one machine to prevent users from
sharing their authentication credentials with non-authorized users. When a
user is prevented from logging at a different machine, an end-user
notification page appears. You can choose whether or not users can click a
button to login as a different username using the Re-authentication setting
on this page.
sharing their authentication credentials with non-authorized users. When a
user is prevented from logging at a different machine, an end-user
notification page appears. You can choose whether or not users can click a
button to login as a different username using the Re-authentication setting
on this page.
When you enable this setting, enter the restriction timeout value, which
determines how long users must wait before being able to log into a machine
with a different IP address. The restriction timeout value must be greater
than the surrogate timeout value.
determines how long users must wait before being able to log into a machine
with a different IP address. The restriction timeout value must be greater
than the surrogate timeout value.
You can remove a specific user or all users from the authentication cache
using the
using the
authcache
CLI command.
Advanced
When using Credential Encryption or SaaS Access Control, you can choose
whether the appliance uses the digital certificate and key shipped with the
appliance (the Cisco IronPort Web Security Appliance Demo Certificate) or
a digital certificate and key you upload here.
whether the appliance uses the digital certificate and key shipped with the
appliance (the Cisco IronPort Web Security Appliance Demo Certificate) or
a digital certificate and key you upload here.
To upload a digital certificate and key, click Browse and navigate to the
necessary file on your local machine. Then click Upload Files after you
select the files you want.
necessary file on your local machine. Then click Upload Files after you
select the files you want.
For more information, see
.
Table 21-10
Explicit Forward Proxy Mode Authentication Settings (continued)
Setting
Description