Руководство Пользователя для Cisco Cisco Web Security Appliance S170
8-7
Cisco IronPort AsyncOS 7.7 for Web User Guide
Chapter 8 Identities
Understanding How Authentication Scheme Affects Identity Groups
Understanding How Authentication Scheme Affects Identity
Groups
Groups
You define the authentication scheme for each Identity group, not at each realm or sequence. That means
you can use the same NTLM realm or a sequence that contains an NTLM realm and use it in Identity
groups that use either the NTLMSSP, Basic, or “Basic or NTLMSSP” authentication schemes.
you can use the same NTLM realm or a sequence that contains an NTLM realm and use it in Identity
groups that use either the NTLMSSP, Basic, or “Basic or NTLMSSP” authentication schemes.
The Web Proxy communicates which scheme(s) it supports to the client application at the beginning of
a transaction. The Identity group currently in use determines which scheme(s) it supports. When the Web
Proxy informs the client application that it supports both Basic and NTLMSSP, the client application
chooses which scheme to use in the transaction.
a transaction. The Identity group currently in use determines which scheme(s) it supports. When the Web
Proxy informs the client application that it supports both Basic and NTLMSSP, the client application
chooses which scheme to use in the transaction.
Some client applications, such as Internet Explorer, always choose NTLMSSP when given a choice
between NTLMSSP and Basic. This might cause a user to not pass authentication when all of the
following conditions are true:
between NTLMSSP and Basic. This might cause a user to not pass authentication when all of the
following conditions are true:
•
The Identity group uses a sequence that contains both LDAP and NTLM realms.
•
The Identity group uses the “Basic or NTLMSSP” authentication scheme.
Table 8-1
Matching HTTPS and FTP over HTTP Requests to Identities
Surrogate
Types
Types
Explicit Requests
Transparent Requests
No Surrogate
HTTPS and FTP over HTTP requests
are matched like HTTP requests.
are matched like HTTP requests.
N/A
IP-based
HTTPS and FTP over HTTP requests
are matched like HTTP requests.
are matched like HTTP requests.
FTP over HTTP requests are matched like
HTTP requests.
HTTP requests.
HTTPS requests are matched like HTTP
requests under any of the following
conditions:
requests under any of the following
conditions:
•
A previous HTTP request was
authenticated using an identity with an
IP-based surrogate.
authenticated using an identity with an
IP-based surrogate.
•
A previous HTTP request was not
authenticated, but the HTTPS Proxy is
configured to decrypt the first HTTPS
request.
authenticated, but the HTTPS Proxy is
configured to decrypt the first HTTPS
request.
Otherwise, if a previous HTTP request was
not authenticated and the HTTPS Proxy is
configured to deny the request, the HTTPS
request fails.
not authenticated and the HTTPS Proxy is
configured to deny the request, the HTTPS
request fails.
Cookie-based
The client is not prompted for
authentication.
authentication.
Note: When credential encryption is
disabled, no surrogates are used, and
HTTPS requests are matched like HTTP
requests.
disabled, no surrogates are used, and
HTTPS requests are matched like HTTP
requests.
The client is not prompted for
authentication.
authentication.