1-16
Cisco ASA Series CLI Configuration Guide
Chapter 1 Configuring the Identity Firewall
Task Flow for Configuring the Identity Firewall
Step 6
hostname(config)# user-identity
poll-import-user-group-timer hours hours
Example:
hostname(config)# user-identity
poll-import-user-group-timer hours 1
Specifies the amount of time before the ASA queries
the Active Directory server for user group
information.
If a user is added to or deleted from to an Active
Directory group, the ASA received the updated user
group after import group timer runs.
By default, the poll-import-user-group-timer is 8
hours.
To immediately update user group information,
enter the following command:
user-identity update import-user
See the CLI configuration guide
Step 7
hostname(config)# user-identity action
netbios-response-fail remove-user-ip
Specifies the action when a client does not respond
to a NetBIOS probe. For example, the network
connection might be blocked to that client or the
client is not active.
When the user-identity action remove-user-ip is
configured, the ASA removed the user identity-IP
address mapping for that client.
By default, this command is disabled.
Step 8
hostname(config)# user-identity action
domain-controller-down domain_nickname
disable-user-identity-rule
Example:
hostname(config)# user-identity action
domain-controller-down SAMPLE
disable-user-identity-rule
Specifies the action when the domain is down
because Active Directory domain controller is not
responding.
When the domain is down and the
disable-user-identity-rule keyword is configured,
the ASA disables the user identity-IP address
mappings for that domain. Additionally, the status of
all user IP addresses in that domain are marked as
disabled in the output displayed by the show
user-identity user command.
By default, this command is disabled.
Step 9
hostname(config)# user-identity user-not-found
enable
Enables user-not-found tracking. Only the last 1024
IP addresses tracked.
By default, this command is disabled.
Step 10
hostname(config)# user-identity action ad-agent-down
disable-user-identity-rule
Specifies the action when the AD Agent is not
responding.
When the AD Agent is down and the user-identity
action ad-agent-down is configured, the ASA
disables the user identity rules associated with the
users in that domain. Additionally, the status of all
user IP addresses in that domain are marked as
disabled in the output displayed by the show
user-identity user command.
By default, this command is disabled.
Command Purpose
To Next Page
Loading...
Need help?
General
