Руководство Пользователя для Cisco Cisco Web Security Appliance S170
8-15
Cisco IronPort AsyncOS 7.7 for Web User Guide
Chapter 8 Identities
Identifying Users Transparently
Figure 8-4
Active Directory Agent Workflow
Note
The Active Directory agent instance used for communicating with the Web Security appliance can also
support other products, such as the adaptive security appliance and other Web Security appliances.
support other products, such as the adaptive security appliance and other Web Security appliances.
Obtaining, Installing, and Configuring Cisco Context Directory Agent
You can find information about downloading, installing, and configuring the Cisco Context Directory
Agent here: http://www.cisco.com/en/US/docs/security/ibf/cda_10/Install_Config_guide/cda10.html.
Agent here: http://www.cisco.com/en/US/docs/security/ibf/cda_10/Install_Config_guide/cda10.html.
Note
The Web Security appliance and Active Directory agents communicate with each other using the
RADIUS protocol. The appliance and the agent must be configured with the same shared secret to
obfuscate user passwords. Other user attributes are not obfuscated.
RADIUS protocol. The appliance and the agent must be configured with the same shared secret to
obfuscate user passwords. Other user attributes are not obfuscated.
Transparent User Identification with Novell eDirectory
AsyncOS for Web communicates with the Novell eDirectory Server to maintain an IP address to user
name mapping. When a user logs into a client machine through the Novell Client, Novell Client
authenticates the user against the Novell eDirectory Server. When authentication succeeds, the client
machine IP address is recorded in the Novell eDirectory Server as an attribute (NetworkAddress field)
of the user who logged into the workstation.
name mapping. When a user logs into a client machine through the Novell Client, Novell Client
authenticates the user against the Novell eDirectory Server. When authentication succeeds, the client
machine IP address is recorded in the Novell eDirectory Server as an attribute (NetworkAddress field)
of the user who logged into the workstation.
Consider the following rules and guidelines when you identify users transparently using Novell
eDirectory:
eDirectory:
•
Novell Client must be installed on each client machine, and end users must use it to authenticate
against a Novell eDirectory server.
against a Novell eDirectory server.
•
The Novell LDAP tree used by the Novell client login must be the same LDAP tree configured in
the authentication realm.
the authentication realm.
•
If the Novell clients use multiple Novell LDAP trees, create an authentication realm for each tree,
and then create an authentication sequence that uses each Novell LDAP authentication realm.
and then create an authentication sequence that uses each Novell LDAP authentication realm.
•
When you configure the LDAP authentication realm for Novell eDirectory, you must specify a Bind
DN for the query credentials.
DN for the query credentials.
Client
Active Directory
Server
Web Security Appliance
Active Directory
Agent Installation