5-14
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 5 Identity Firewall
Configure the Identity Firewall
When the ASA detects that the primary AD Agent is down and a secondary agent is specified, it switches
to the secondary AD Agent. The AAA server for the AD agent uses RADIUS as the communication
protocol, and should specify a key attribute for the shared secret between the ASA and AD Agent.
Step 6 Test the communication between the ASA and the AD Agent server.
test aaa-server ad-agent
Example:
hostname(config-aaa-server-host)# test aaa-server ad-agent
Configure Identity Options
To configure the Identity Options for the Identity Firewall, perform the following steps:
Procedure
Step 1 Enable the Identity Firewall feature. By default, the Identity Firewall feature is disabled.
user-identity enable
Example:
hostname(config)# user-identity enable
Step 2 Specify the default domain for the Identity Firewall.
user-identity default-domain domain_NetBIOS_name
Example:
hostname(config)# user-identity default-domain SAMPLE
For the domain_NetBIOS_name argument, enter a name of up to 32 characters that consists of [a-z],
[A-Z], [0-9], [!@#$%^&()-_=+[]{};,. ] except '.' and ' ' at the first character. If the domain name includes
a space, enclose the entire name in quotation marks. The domain name is not case sensitive.
The default domain is used for all users and user groups when a domain has not been explicitly
configured for those users or groups. When a default domain is not specified, the default domain for
users and groups is LOCAL. For multiple context modes, you can set a default domain name for each
context, as well as within the system execution space.
Note The default domain name that you specify must match the NetBIOS domain name configured on
the Active Directory domain controller. If the domain name does not match, the AD Agent
incorrectly associates the user identity-IP address mapped entries with the domain name that you
enter when configuring the ASA. To view the NetBIOS domain name, open the Active Directory
user event security log in any text editor.
The Identity Firewall uses the LOCAL domain for all locally defined user groups or locally defined
users. Users logging in through a web portal (cut-through proxy) are designated as belonging to the
Active Directory domain with which they authenticated. Users logging in through a VPN are designated
as belonging to the LOCAL domain unless the VPN is authenticated by LDAP with the Active Directory.
In this case, the Identity Firewall can associate the users with their Active Directory domain.
To Next Page
Loading...
Need help?
General