Руководство Пользователя для Cisco Cisco Web Security Appliance S360
8-5
Cisco IronPort AsyncOS 7.7 for Web User Guide
Chapter 8 Identities
Evaluating Identity Group Membership
The Web Proxy sequentially reads through each Identity group in the Identity policies table. It compares
the client request status to the membership criteria of the first Identity group. If they match, the Web
Proxy assigns the Identity group to the transaction.
the client request status to the membership criteria of the first Identity group. If they match, the Web
Proxy assigns the Identity group to the transaction.
If they do not match, the Web Proxy compares the client request to the next Identity group. It continues
this process until it matches the client request to a user defined Identity group, or if it does not match a
user defined Identity group, it matches the global Identity policy. When the Web Proxy matches the client
request to an Identity group or the global Identity policy, it assigns the Identity group to the transaction.
this process until it matches the client request to a user defined Identity group, or if it does not match a
user defined Identity group, it matches the global Identity policy. When the Web Proxy matches the client
request to an Identity group or the global Identity policy, it assigns the Identity group to the transaction.
If at any time during the comparison process the user fails authentication, the Web Proxy terminates the
request. For more information about how authentication works with Identity groups, see
request. For more information about how authentication works with Identity groups, see
.
After the Web Proxy assigns an Identity to a client request, it evaluates the request against the other
policy group types. For more information, see the following locations:
policy group types. For more information, see the following locations:
•
•
•
•
Understanding How Authentication Affects Identity Groups
To define authentication requirements for an Identity group, you can choose an authentication realm or
sequence that applies to the Identity group.
sequence that applies to the Identity group.
Note
You can specify the authorized users when you use the Identity in a non-Identity policy group.
Consider the following rules and guidelines when creating and ordering Identity groups:
•
Identity group order. All Identity groups that do not require authentication must be above Identity
groups that require authentication.
groups that require authentication.
•
Cookie-based authentication. When the appliance is configured to use cookie-based authentication
surrogates, it does not get cookie information from clients for HTTPS and FTP over HTTP requests.
Therefore, it cannot get the user name from the cookie. How HTTPS and FTP over HTTP requests
are matched against the Identity groups varies based on other factors. For more information, see
surrogates, it does not get cookie information from clients for HTTPS and FTP over HTTP requests.
Therefore, it cannot get the user name from the cookie. How HTTPS and FTP over HTTP requests
are matched against the Identity groups varies based on other factors. For more information, see
.
•
Identity uniqueness. Verify the Identity group membership requirements are unique for each
Identity group. If two Identity groups require the exact same membership, then client requests never
match the lower Identity group. If any non-Identity policy uses the lower Identity group, client
requests never match that policy.
Identity group. If two Identity groups require the exact same membership, then client requests never
match the lower Identity group. If any non-Identity policy uses the lower Identity group, client
requests never match that policy.
•
Global Identity policy. The global Identity policy does not require authentication by default when
you create an authentication realm. If you want the global Identity policy to require authentication,
you must assign an authentication realm, authentication sequence, or the All Realms sequence to the
global Identity policy.
you create an authentication realm. If you want the global Identity policy to require authentication,
you must assign an authentication realm, authentication sequence, or the All Realms sequence to the
global Identity policy.
For some examples of how the Web Proxy matches client requests to an Identity group for different
Identity policies tables, see
Identity policies tables, see
.