5-9
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 5 Identity Firewall
Prerequisites for the Identity Firewall
If for some reason the packet is lost, there is no way for the ASA to discern this. As a result, the
ASA holds the session for 4-5 minutes, during which time this error message continues to appear if
you have issued the user-identity update active-user-database command.
• When you use the Cisco Context Directory Agent (CDA) in conjunction with the ASA or Cisco
Ironport Web Security Appliance (WSA), make sure that you open the following ports:
–
Authentication port for UDP—1645
–
Accounting port for UDP—1646
–
Listening port for UDP—3799
The listening port is used to send change of authorization requests from the CDA to the ASA or
to the WSA.
• If the user-identity action domain-controller-down domain_name disable-user-identity-rule
command is configured and the specified domain is down, or if the user-identity action
ad-agent-down disable-user-identity-rule command is configured and the AD Agent is down, all
the logged-in users have the disabled status.
• For domain names, the following characters are not valid: \/:*?"<>|. For naming conventions, see
http://support.microsoft.com/kb/909264.
• For usernames, the following characters are not valid: \/[]:;=,+*?"<>|@.
• For user group names, the following characters are not valid: \/[]:;=,+*?"<>|.
• How you configure the Identity Firewall to retrieve user information from the AD Agent affects the
amount of memory used by the feature. You specify whether the ASA uses on-demand retrieval or
full download retrieval. Choosing on-demand retrieval has the benefit of using less memory, because
only users of received packets are queried and stored.
Prerequisites for the Identity Firewall
This section lists the prerequisites for configuring the Identity Firewall.
AD Agent
• The AD Agent must be installed on a Windows server that is accessible to the ASA. Additionally,
you must configure the AD Agent to obtain information from the Active Directory servers and to
communicate with the ASA.
• Supported Windows servers include Windows 2003, Windows 2008, and Windows 2008 R2.
Note Windows 2003 R2 is not supported for the AD Agent server.
• For the steps to install and configure the AD Agent, see the Installation and Setup Guide for the
Active Directory Agent.
• Before configuring the AD Agent in the ASA, obtain the secret key value that the AD Agent and the
ASA use to communicate. This value must match on both the AD Agent and the ASA.
Microsoft Active Directory
• Microsoft Active Directory must be installed on a Windows server and accessible by the ASA.
Supported versions include Windows 2003, 2008, and 2008 R2 servers.
To Next Page
Loading...
Need help?
General
