1-17
Cisco ASA Series CLI Configuration Guide
Chapter 1 Configuring the Identity Firewall
Task Flow for Configuring the Identity Firewall
Step 11
hostname(config)# user-identity action
mac-address-mismatch remove-user-ip
Specifies the action when a user's MAC address is
found to be inconsistent with the ASA device IP
address currently mapped to that MAC address.
When the user-identity action
mac-address-mismatch command is configured,
the ASA removes the user identity-IP address
mapping for that client.
By default, the ASA uses the remove-user-ip
keyword when this command is specified.
Step 12
hostname(config)# user-identity ad-agent
active-user-database {on-demand|full-download}
Example:
hostname(config)# user-identity ad-agent
active-user-database full-download
Defines how the ASA retrieves the user identity-IP
address mapping information from the AD Agent:
• full-download—Specifies that the ASA send a
request to the AD Agent to download the entire
IP-user mapping table when the ASA starts and
then to receive incremental IP-user mapping
when users log in and log out.
• on-demand—Specifies that the ASA retrieve
the user mapping information of an IP address
from the AD Agent when the ASA receives a
packet that requires a new connection and the
user of its source IP address is not in the
user-identity database.
By default, the ASA 5505, uses the on-demand
option. The other ASA platforms use the
full-download option.
Full downloads are event driven, meaning that
subsequent requests to download the database, send
just the updates to the user identity-IP address
mapping database.
When the ASA registers a change request with the
AD Agent, the AD Agent sends a new event to the
ASA.
Command Purpose
To Next Page
Loading...
Need help?
General
