Cisco Systems ASA 5545-X, ASA 5555-X, ASA 5580, ASA 5585-X, ASA Services Module, ASA 5505 Authentication Keys

25-3

Cisco ASA Series Firewall ASDM Configuration Guide

Chapter25 Configuring the ASA for Cisco Cloud Web Security

Information About Cisco Cloud Web Security

The ASA supports the following methods of determining the identity of a user, or of providing a default

identity:

•AAA rules—When the ASA performs user authentication using a AAA rule, the username is

retrieved from the AAA server or local database. Identity from AAA rules does not include group

information. If configured, the default group is used. For information about configuring AAA rules,

see Chapter 8, “Configuring AAA Rules for Network Access.”

•IDFW—When the ASA uses IDFW with the Active Directory (AD), the username and group is

retrieved from the AD agent when you activate a user and/or group by using an ACL in a feature

such as an access rule or in your service policy, or by configuring the user identity monitor to

download user identity information directly.

For information about configuring IDFW, see Chapter38, “Configuring the Identity Firewall,” in the

general operations configuration guide.

•Default username and group—Without user authentication, the ASA uses an optional default

username and/or group for all users that match a service policy rule for Cloud Web Security.

Authentication Keys

Each ASA must use an authentication key that you obtain from Cloud Web Security. The authentication

key lets Cloud Web Security identify the company associated with web requests and ensures that the

ASA is associated with valid customer.

You can use one of two types of authentication keys for your ASA: the company key or the group key.

•Company Authentication Key, page25-3

•Group Authentication Key, page25-3

A Company authentication key can be used on multiple ASAs within the same company. This key simply

enables the Cloud Web Security service for your ASAs. The administrator generates this key in

ScanCenter (https://scancenter.scansafe.com/portal/admin/login.jsp); you have the opportunity to e-mail

the key for later use. You cannot look up this key later in ScanCenter; only the last 4 digits are shown in

ScanCenter. For more information, see the Cloud Web Security documentation:

http://www.cisco.com/en/US/products/ps11720/products_installation_and_configuration_guides_list.h

tml.

A Group authentication key is a special key unique to each ASA that performs two functions:

•Enables the Cloud Web Security service for one ASA.

•Identifies all traffic from the ASA so you can create ScanCenter policy per ASA.

For information about using the Group authentication key for policy, see the “ScanCenter Policy” section

on page 25-4).

The administrator generates this key in ScanCenter

(https://scancenter.scansafe.com/portal/admin/login.jsp); you have the opportunity to e-mail the key for

later use. You cannot look up this key later in ScanCenter; only the last 4 digits are shown in ScanCenter.

Cisco Systems Authentication Keys