1-10
Cisco ASA Series CLI Configuration Guide
Chapter 1 Configuring the Identity Firewall
Task Flow for Configuring the Identity Firewall
See Configuring Active Directory Agents, page 1-12.
See also Deployment Scenarios, page 1-4 for the ways in which you can deploy the AD Agents to meet
your environment requirements.
Step 3 Configure Identity Options.
See Configuring Identity Options, page 1-13.
Step 4 Configure Identity-based Security Policy.
After AD domain and AD-Agent are configured, you can create identity-based object groups and ACLs
for use in many features. See Configuring Identity-Based Security Policy, page 1-18.
Configuring the Active Directory Domain
Active Directory domain configuration on the ASA is required for the ASA to download Active
Directory groups and accept user identities from specific domains when receiving IP-user mapping from
the AD Agent.
Prerequisites
• Active Directory server IP address
• Distinguished Name for LDAP base dn
• Distinguished Name and password for the Active Directory user that the Identity Firewall uses to
connect to the Active Directory domain controller
To configure the Active Directory domain, perform the following steps:
Command Purpose
Step 1
hostname(config)# aaa-server server-tag protocol
ldap
Example:
hostname(config)# aaa-server adserver protocol ldap
Creates the AAA server group and configures AAA
server parameters for the Active Directory server.
Step 2
hostname(config-aaa-server-group)# aaa-server
server-tag [(interface-name)] host {server-ip |
name} [key] [timeout seconds]
Example:
hostname(config-aaa-server-group)# aaa-server adserver
(mgmt) host 172.168.224.6
For the Active Directory server, configures the AAA
server as part of a AAA server group and the AAA
server parameters that are host-specific.
Step 3
hostname(config-aaa-server-host)# ldap-base-dn
string
Example:
hostname(config-aaa-server-host)# ldap-base-dn
DC=SAMPLE,DC=com
Specifies the location in the LDAP hierarchy where
the server should begin searching when it receives
an authorization request.
Specifying the ldap-base-dn command is optional.
If you do not specify this command, the ASA
retrieves the defaultNamingContext from Active
Directory and uses it as the base DN.
Step 4
hostname(config-aaa-server-host)# ldap-scope subtree
Specifies the extent of the search in the LDAP
hierarchy that the server should make when it
receives an authorization request.
To Next Page
Loading...
