5-13
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 5 Identity Firewall
Configure the Identity Firewall
Configure Active Directory Agents
Configure the primary and secondary AD Agents for the AD Agent Server Group. When the ASA detects
that the primary AD Agent is not responding and a secondary agent is specified, the ASA switches to
the secondary AD Agent. The Active Directory server for the AD agent uses RADIUS as the
communication protocol; therefore, you should specify a key attribute for the shared secret between the
ASA and AD Agent.
Before You Begin
• AD agent IP address
• Shared secret between the ASA and AD agent
To configure the AD Agents, perform the following steps:
Procedure
Step 1 Create the AAA server group and configure AAA server parameters for the AD Agent.
aaa-server server-tag protocol radius
Example:
hostname(config)# aaa-server adagent protocol radius
Step 2 Enable the AD Agent mode.
ad-agent-mode
Example:
hostname(config)# ad-agent-mode
Step 3 Configure the AAA server as part of a AAA server group and the AAA server parameters that are
host-specific for the AD Agent.
aaa-server server-tag [(interface-name)] host {server-ip | name} [key] [timeout seconds]
Example:
hostname(config-aaa-server-group)# aaa-server adagent (inside) host 192.168.1.101
Step 4 Specify the server secret value used to authenticate the ASA to the AD Agent server.
key key
Example:
hostname(config-aaa-server-host)# key mysecret
Step 5 Define the server group of the AD Agent.
user-identity ad-agent aaa-server aaa_server_group_tag
Example:
hostname(config-aaa-server-hostkey)# user-identity ad-agent aaa-server adagent
The first server defined in the aaa_server_group_tag argument is the primary AD Agent and the second
server defined is the secondary AD Agent. The Identity Firewall supports defining only two AD Agent
hosts.
To Next Page
Loading...
Need help?
General
