1-18
Cisco ASA Series CLI Configuration Guide
Chapter 1 Configuring the Identity Firewall
Task Flow for Configuring the Identity Firewall
What to Do Next
Configure the Active Directory domain and server groups. See Configuring the Active Directory
Domain, page 1-10.
Configure AD Agents. See Configuring Active Directory Agents, page 1-12.
Configuring Identity-Based Security Policy
You can incorporate identity-based policy in many ASA features. Any feature that uses extended ACLs
(other than those listed as unsupported in the “Guidelines and Limitations” section on page 1-7) can take
advantage of identity firewall. You can now add user identity arguments to extended ACLs, as well as
network-based parameters.
• To configure an extended ACL, see Chapter 1, “Adding an Extended Access Control List.”
• To configure local user groups, which can be used in the ACL, see the “Configuring Local User
Groups” section on page 1-11.
Features that can use identity include the following:
• Access rules—An access rule permits or denies traffic on an interface using network information.
With identity firewall, you can now control access based on user identity. See Chapter 1,
“Configuring Access Rules.”
• AAA rules—An authentication rule (also known as “cut-through proxy”) controls network access
based on user. Because this function is very similar to an access rule + identity firewall, AAA rules
can now be used as a backup method of authentication if a user’s AD login expires. For example,
for any user without a valid login, you can trigger a AAA rule. To ensure that the AAA rule is only
triggered for users that do not have valid logins, you can specify special usernames in the extended
ACL used for the access rule and for the AAA rule: None (users without a valid login) and Any
(users with a valid login). In the access rule, configure your policy as usual for users and groups, but
then include a rule that permits all None users; you must permit these users so they can later trigger
a AAA rule. Then, configure a AAA rule that denies Any users (these users are not subject to the
AAA rule, and were handled already by the access rule), but permits all None users:
access-list 100 ex permit ip user CISCO\xyz any any
Step 13
hostname(config)# user-identity ad-agent hello-timer
seconds seconds retry-times number
Example:
hostname(config)# user-identity ad-agent hello-timer
seconds 20 retry-times 3
Defines the hello timer between the ASA and the AD
Agent.
The hello timer between the ASA and the AD Agent
defines how frequently the ASA exchanges hello
packets. The ASA uses the hello packet to obtain
ASA replication status (in-sync or out-of-sync) and
domain status (up or down). If the ASA does not
receive a response from the AD Agent, it resends a
hello packet after the specified interval.
By default, the hello timer is set to 30 seconds and 5
retries.
Step 14
hostname(config)# user-identity ad-agent aaa-server
aaa_server_group_tag
Example:
hostname(config)# user-identity ad-agent aaa-server
adagent
Defines the server group of the AD Agent.
For aaa_server_group_tag, enter the value defined
by the aaa-server command.
Command Purpose
To Next Page
Loading...
Need help?
General
