Cisco Systems ASA 5585-X Webcam User Manual


 
25-5
Cisco ASA Series Firewall ASDM Configuration Guide
Chapter 25 Configuring the ASA for Cisco Cloud Web Security
Information About Cisco Cloud Web Security
AAA usernames, when using RADIUS or TACACS+, are sent in the following format:
LOCAL\username
AAA usernames, when using LDAP, are sent in the following format:
domain-name\username
For the default username, it is sent in the following format:
[domain-name\]username
For example, if you configure the default username to be “Guest,” then the ASA sends “Guest.”
If you configure the default username to be “Cisco\Guest,” then the ASA sends “Cisco\Guest.”
How Groups and the Authentication Key Interoperate
Unless you need the per-ASA policy that a custom group+group key provides, you will likely use a
company key. Note that not all custom groups are associated with a group key. Non-keyed custom groups
can be used to identify IP addresses or usernames, and can be used in your policy along with rules that
use directory groups.
Even if you do want per-ASA policy and are using a group key, you can also use the matching capability
provided by directory groups and non-keyed custom groups. In this case, you might want an ASA-based
policy, with some exceptions based on group membership, IP address, or username. For example, if you
want to exempt users in the America\Management group across all ASAs:
1. Add a directory group for America\Management.
2. Add an exempt rule for this group.
3. Add rules for each custom group+group key after the exempt rule to apply policy per-ASA.
4. Traffic from users in America\Management will match the exempt rule, while all other traffic will
match the rule for the ASA from which it originated.
Many combinations of keys, groups, and policy rules are possible.
Cloud Web Security Actions
After applying the configured policies, Cloud Web Security either blocks, allows, or sends a warning
about the user request:
Allows—When Cloud Web Security allows the client request, it contacts the originally requested
server and retrieves the data. It forwards the server response to the ASA, which then forwards it to
the user.
Blocks—When Cloud Web Security blocks the client request, it notifies the user that access has been
blocked. It sends an HTTP 302 “Moved Temporarily” response that redirects the client application
to a web page hosted by the Cloud Web Security proxy server showing the blocked error message.
The ASA forwards the 302 response to the client.
Warns—When the Cloud Web Security proxy server determines that a site may be in breach of the
acceptable use policy, it displays a warning page about the site. You can choose to heed the warning
and drop the request to connect, or you can click through the warning and proceed to the requested
site.
You can also choose how the ASA handles web traffic when it cannot reach either the primary or backup
Cloud Web Security proxy server. It can block or allow all web traffic. By default, it blocks web traffic.