CHAPTER
5-1
Cisco ASA Series Firewall CLI Configuration Guide
5
Identity Firewall
This chapter describes how to configure the ASA for the Identity Firewall.
• About the Identity Firewall, page 5-1
• Guidelines for the Identity Firewall, page 5-7
• Prerequisites for the Identity Firewall, page 5-9
• Configure the Identity Firewall, page 5-10
• Examples for the Identity Firewall, page 5-19
• History for the Identity Firewall, page 5-22
About the Identity Firewall
In an enterprise, users often need access to one or more server resources. Typically, a firewall is not
aware of the users’ identities and, therefore, cannot apply security policies based on identity. To
configure per-user access policies, you must configure a user authentication proxy, which requires user
interaction (a username/password query).
The Identity Firewall in the ASA provides more granular access control based on users’ identities. You
can configure access rules and security policies based on user names and user group names rather than
through source IP addresses. The ASA applies the security policies based on an association of IP
addresses to Windows Active Directory login information and reports events based on the mapped
usernames instead of network IP addresses.
The Identity Firewall integrates with Microsoft Active Directory in conjunction with an external Active
Directory (AD) Agent that provides the actual identity mapping. The ASA uses Windows Active
Directory as the source to retrieve the current user identity information for specific IP addresses and
allows transparent authentication for Active Directory users.
Identity-based firewall services enhance the existing access control and security policy mechanisms by
allowing users or groups to be specified in place of source IP addresses. Identity-based security policies
can be interleaved without restriction between traditional IP address-based rules.
The key benefits of the Identity Firewall include:
• Decoupling network topology from security policies
• Simplifying the creation of security policies
• Providing the ability to easily identify user activities on network resources
• Simplifying user activity monitoring
To Next Page
Loading...
Need help?
General