5-17
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 5 Identity Firewall
Configure the Identity Firewall
When this command is configured, the ASA removes the user identity-IP address mapping for that client.
By default, the ASA uses the remove-user-ip keyword when this command is specified.
Step 12 Define how the ASA retrieves the user identity-IP address mapping information from the AD Agent.
user-identity ad-agent active-user-database {on-demand | full-download}
Example:
hostname(config)# user-identity ad-agent active-user-database full-download
By default, the ASA uses the full-download option.
• Full-download—Specifies that the ASA send a request to the AD Agent to download the entire
IP-user mapping table when the ASA starts and then to receive incremental IP-user mapping
information when users log in and log out. Full downloads are event driven, meaning that when there
are subsequent requests to download the database, just the updates to the user identity-IP address
mapping database are sent.
• On-demand—Specifies that the ASA retrieve the user mapping information of an IP address from
the AD Agent when the ASA receives a packet that requires a new connection, and the user of its
source IP address is not in the user-identity database.
When the ASA registers a change request with the AD Agent, the AD Agent sends a new event to the
ASA.
Step 13 Define the hello timer between the ASA and the AD Agent.
user-identity ad-agent hello-timer seconds seconds retry-times number
Example:
hostname(config)# user-identity ad-agent hello-timer seconds 20 retry-times 3
The hello timer between the ASA and the AD Agent defines how frequently the ASA exchanges hello
packets. The ASA uses the hello packet to obtain ASA replication status (in-sync or out-of-sync) and
domain status (up or down). If the ASA does not receive a response from the AD Agent, it resends a hello
packet after the specified interval.
By default, the hello timer is set to 30 seconds and 5 retries.
Step 14 Enable the ASA to keep track of the last event time stamp that it receives for each identifier and to
discard any message if the event time stamp is at least 5 minutes older than the ASA’s clock, or if its
time stamp is earlier than the last event’s time stamp.
user-identity ad-agent event-timestamp-check
Example:
hostname(config)# user-identity ad-agent event-timestamp-check
For a newly booted ASA that does not have knowledge of the last event time stamp, the ASA compares
the event time stamp with its own clock. If the event is at least 5 minutes older, the ASA does not accept
the message.
We recommend that you configure the ASA, Active Directory, and Active Directory agent to synchronize
their clocks among themselves using NTP.
Step 15 Define the server group of the AD Agent.
user-identity ad-agent aaa-server aaa_server_group_tag
Example:
hostname(config)# user-identity ad-agent aaa-server adagent
To Next Page
Loading...
Need help?
General
