5-4
Cisco ASA Series Firewall CLI Configuration Guide
 
Chapter 5      Identity Firewall
  About the Identity Firewall
• Supports a fully qualified domain name (FQDN) for the source and destination of a user identity 
policy.
• Supports the combination of 5-tuple policies with ID-based policies. The identity-based feature 
works in tandem with the existing 5-tuple solution.
• Supports use with IPS and Application Inspection policies.
• Retrieves user identity information from remote access VPN, AnyConnect VPN, L2TP VPN and 
cut-through proxy. All retrieved users are populated to all ASAs that are connected to the AD Agent.
Scalability
• Each AD Agent supports 100 ASAs. Multiple ASAs are able to communicate with a single AD 
Agent to provide scalability in larger network deployments. 
• Supports 30 Active Directory servers provided the IP address is unique among all domains.
• Each user identity in a domain can have up to 8 IP addresses. 
• Supports up to 64,000 user identity-IP address mapped entries in active policies for the ASA 5500 
Series models. This limit controls the maximum number of users who have policies applied. The 
total number of users are the aggregate of all users configured in all different contexts.
• Supports up to 512 user groups in active ASA policies. 
• A single access rule can contain one or more user groups or users. 
• Supports multiple domains. 
Availability
• The ASA retrieves group information from the Active Directory and falls back to web authentication 
for IP addresses when the AD Agent cannot map a source IP address to a user identity. 
• The AD Agent continues to function when any of the Active Directory servers or the ASA are not 
responding. 
• Supports configuring a primary AD Agent and a secondary AD Agent on the ASA. If the primary 
AD Agent stops responding, the ASA can switch to the secondary AD Agent. 
• If the AD Agent is unavailable, the ASA can fall back to existing identity sources such as 
cut-through proxy and VPN authentication. 
• The AD Agent runs a watchdog process that automatically restarts its services when they are down.
• Allows a distributed IP address/user mapping database for use among ASAs. 
Deployment Scenarios
You can deploy the components of the Identity Firewall in the following ways, depending on your 
environmental requirements.
The following figure shows how you can deploy the components of the Identity Firewall to allow for 
redundancy. Scenario 1 shows a simple installation without component redundancy. Scenario 2 also 
shows a simple installation without redundancy. However, in this deployment scenario, the Active 
Directory server and AD Agent are co-located on the same Windows server.