8-17
Cisco ASA Series Firewall CLI Configuration Guide
 
Chapter 8      ASA and Cisco Cloud Web Security
  Examples for Cisco Cloud Web Security
Step 8 Configure service policy.
If you created a separate policy map for Cloud Web Security, the following example shows how to apply 
it to an interface. If you instead added the classes to the global_policy map, you are finished; you do not 
need to enter the service-policy command.
hostname(config)# service-policy pmap-webtraffic interface inside
Active Directory Integration Example for Identity Firewall
The following is an end-to-end example configuration for Active Directory integration. This 
configuration enables the identity firewall.
Procedure
Step 1 Configure the Active Directory Server Using LDAP.
The following example shows how to configure the Active Directory server on your ASA using LDAP:
hostname(config)# aaa-server AD protocol ldap
hostname(config-aaa-server-group)# aaa-server AD (inside) host 192.168.116.220
hostname(config-aaa-server-host)# ldap-base-dn DC=ASASCANLAB,DC=local
hostname(config-aaa-server-host)# ldap-scope subtree
hostname(config-aaa-server-host)# server-type microsoft
hostname(config-aaa-server-host)# server-port 389
hostname(config-aaa-server-host)# ldap-login-dn 
cn=administrator,cn=Users,dc=asascanlab,dc=local
hostname(config-aaa-server-host)# ldap-login-password Password1
Step 2 Configure the Active Directory Agent Using RADIUS.
The following example shows how to configure the Active Directory Agent on your ASA using 
RADIUS:
hostname(config)# aaa-server adagent protocol radius
hostname(config-aaa-server-group)# ad-agent-mode
hostname(config-aaa-server-group)# aaa-server adagent (inside) host 192.168.116.220
hostname(config-aaa-server-host)# key cisco123
hostname(config-aaa-server-host)# user-identity ad-agent aaa-server adagent
Step 3 (On the AD Agent server.) Create the ASA as a Client on the AD Agent Server.
The following example shows how to create the ASA as a client on the Active Directory agent server:
c:\IBF\CLI\adacfg client create -name ASA5520DEVICE -ip 192.168.116.90 -secret cisco123
Step 4 (On the AD Agent server.) Create a Link Between the AD Agent and DCs.
The following example shows how to create a link between the Active Directory Agent and all DCs for 
which you want to monitor logon/logoff events:
c:\IBF\CLI\adacfg.exe dc create -name DCSERVER1 -host W2K3DC -domain 
W2K3DC.asascanlab.local -user administrator -password Password1
c:\IBF\CLI\adacfg.exe dc list
Running the last command should show the status as “UP.”
For the AD_Agent to monitor logon/logoff events, you need to ensure that these are logged on all DCs 
that are actively being monitored. To do this, choose: