8-18
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 8 ASA and Cisco Cloud Web Security
Examples for Cisco Cloud Web Security
Start > Administrative Tools > Domain Controller Security Policy
Local policies > Audit Policy > Audit account logon events (success and failure)
Step 5 (Back on the ASA.) Test the AD Agent.
The following example shows how to configure the test Active Directory Agent so that it can
communicate with the ASA:
hostname# test aaa-server ad-agent adagent
Server IP Address or name: 192.168.116.220
INFO: Attempting Ad-agent test to IP address <192.168.116.220> (timeout: 12 seconds)
INFO: Ad-agent Successful
See also the following command: show user-identity ad-agent.
Step 6 Configure the Identity Options on the ASA.
The following example shows how to configure the identity options on the ASA:
hostname(config)# user-identity domain ASASCANLAB aaa-server AD
hostname(config)# user-identity default-domain ASASCANLAB
Step 7 Configure the User Identity Options and Enabling Granular Reporting.
The following example shows how to configure the user identity options that send user credentials to the
ASA and enable granular user reporting from the proxy server:
hostname(config)# user-identity inactive-user-timer minutes 60
hostname(config)# user-identity action netbios-response-fail remove-user-ip
hostname(config)# user-identity user-not-found enable
hostname(config)# user-identity action mac-address-mismatch remove-user-ip
hostname(config)# user-identity ad-agent active-user-database full-download
There are two download modes with Identify Firewall: Full download and On-demand.
• Full download—Whenever a user logs into the network, the IDFW tells the ASA the User identity
immediately (recommended on the ASA 5512-X and above).
• On-demand—Whenever a user logs into the network, the ASA requests the user identity from AD.
If you are using more than one domain, then enter the following command:
hostname(config)# user-identity domain OTHERDOMAINNAME
Step 8 Monitor the Active Directory Groups.
The following example shows how to configure Active Directory groups to be monitored:
hostname(config)# user-identity monitor user-group ASASCANLAB\\GROUPNAME1
hostname(config)# user-identity monitor user-group ASASCANLAB\\GROUPNAME2
hostname(config)# user-identity monitor user-group ASASCANLAB\\GROUPNAME3
Remember to save your configuration once the above is completed.
Step 9 Download the Entire Active-User Database from the Active Directory Server.
The following command updates the specified import user group database by querying the Active
Directory server immediately without waiting for the expiration of poll-import-user-group-timer:
hostname(config)# user-identity update import-user
Step 10 Download the Database from the AD Agent.
The following example shows how to manually start the download of the database from the Active
Directory Agent if you think the user database is out of sync with Active Directory:
hostname(config)# user-identity update active-user-database
To Next Page
Loading...
Need help?
General
