Cisco Cisco Web Security Appliance S670 用户指南
Chapter 7 Identities
Evaluating Identity Group Membership
7-6
Cisco IronPort AsyncOS 7.1 for Web User Guide
OL-23207-01
•
Global Identity policy. The global Identity policy does not require
authentication by default when you create an authentication realm. If you
want the global Identity policy to require authentication, you must assign an
authentication realm, authentication sequence, or the All Realms sequence to
the global Identity policy.
authentication by default when you create an authentication realm. If you
want the global Identity policy to require authentication, you must assign an
authentication realm, authentication sequence, or the All Realms sequence to
the global Identity policy.
For some examples of how the Web Proxy matches client requests to an Identity
group for different Identity policies tables, see
group for different Identity policies tables, see
.
Understanding How Authentication Affects HTTPS and FTP over
HTTP Requests
HTTP Requests
How the Web Proxy matches HTTPS and FTP over HTTP requests with Identities
depends on the type of request (either explicitly forwarded or transparently
redirected to the Web Proxy) and the authentication surrogate type:
depends on the type of request (either explicitly forwarded or transparently
redirected to the Web Proxy) and the authentication surrogate type:
•
No authentication surrogates. The Web Proxy matches HTTPS and FTP
over HTTP requests with Identity groups the same way it matches HTTP
requests. For a diagram of how this occurs, see
over HTTP requests with Identity groups the same way it matches HTTP
requests. For a diagram of how this occurs, see
.
•
IP-based authentication surrogates and explicit requests. The Web Proxy
matches HTTPS and FTP over HTTP requests with Identity groups the same
way it matches HTTP requests. For a diagram of how this occurs, see
matches HTTPS and FTP over HTTP requests with Identity groups the same
way it matches HTTP requests. For a diagram of how this occurs, see
.
•
IP-based authentication surrogates and transparent requests. The Web
Proxy matches FTP over HTTP requests with Identity groups the same way it
matches HTTP requests. But for HTTPS requests, the behavior is different,
depending on whether or not the HTTPS request comes from a client that has
authentication information available from an earlier HTTP request:
Proxy matches FTP over HTTP requests with Identity groups the same way it
matches HTTP requests. But for HTTPS requests, the behavior is different,
depending on whether or not the HTTPS request comes from a client that has
authentication information available from an earlier HTTP request:
–
Information available from a previous HTTP request. The Web Proxy
matches HTTPS requests with Identity groups the same way it matches
HTTP requests. HTTPS requests are treated with the Identity associated
with the IP address.
matches HTTPS requests with Identity groups the same way it matches
HTTP requests. HTTPS requests are treated with the Identity associated
with the IP address.
–
No information available from a previous HTTP request. When the
Web Proxy has no credential information for the client, then it either fails
the HTTPS request or decrypts the HTTPS request in order to
Web Proxy has no credential information for the client, then it either fails
the HTTPS request or decrypts the HTTPS request in order to