What are Identities, and how do they relate to Access Policies?
AsyncOS for Web 5.6 and newer.
Identities are configured on the Cisco Web Security Appliance (WSA) in Web GUI under the 'Web Security Manager' tab.
An Identity is basically a policy that determines how a user should be authenticated and it can match on many different attributes. This gives us much greater flexibility with authentication as a whole.
For instance, it is now possible to create an Identity which matches based on specific user agent/s, and then we can set this identity to not require authentication. This allows us to exempt only specific applications from authentication, which can be very useful in certain circumstances.
To use Identities correctly, it is important to understand how they are processed. When a client request is received by the appliance, it will first try to match an Identity from the list, in a top --> down fashion, and first match wins. This is similar to how Web Access Policies work.
Once the Identity has been matched, the appliance will check the Access Policies list, checking all the policies in top -> down fashion, looking for a match. It is important to note that the Access Policies can each be configured to match only a specific identity or they can also be set to match All Identities.
Note: If the access policy specifies a single identity, and this identity is not the identity matched by the client, then the access policy will be skipped.
When troubleshooting Access Policy matching, it is important to pay attention to which Identity is being matched by the client. Only Access Policies which match the same Identity as the client will be evaluated for that particular client.