1-17
Cisco ASA Series CLI Configuration Guide
 
Chapter 1      Configuring the Identity Firewall
  Task Flow for Configuring the Identity Firewall
Step 11
hostname(config)# user-identity action 
mac-address-mismatch remove-user-ip
Specifies the action when a user's MAC address is 
found to be inconsistent with the ASA device IP 
address currently mapped to that MAC address. 
When the user-identity action 
mac-address-mismatch command is configured, 
the ASA removes the user identity-IP address 
mapping for that client.
By default, the ASA uses the remove-user-ip 
keyword when this command is specified. 
Step 12
hostname(config)# user-identity ad-agent 
active-user-database {on-demand|full-download}
Example:
hostname(config)# user-identity ad-agent 
active-user-database full-download
Defines how the ASA retrieves the user identity-IP 
address mapping information from the AD Agent: 
• full-download—Specifies that the ASA send a 
request to the AD Agent to download the entire 
IP-user mapping table when the ASA starts and 
then to receive incremental IP-user mapping 
when users log in and log out.
• on-demand—Specifies that the ASA retrieve 
the user mapping information of an IP address 
from the AD Agent when the ASA receives a 
packet that requires a new connection and the 
user of its source IP address is not in the 
user-identity database.
By default, the ASA 5505, uses the on-demand 
option. The other ASA platforms use the 
full-download option. 
Full downloads are event driven, meaning that 
subsequent requests to download the database, send 
just the updates to the user identity-IP address 
mapping database. 
When the ASA registers a change request with the 
AD Agent, the AD Agent sends a new event to the 
ASA. 
Command Purpose