Cisco ASA Series Configuration Manual page 154
Firewall cli, asa services module, and the adaptive security virtual appliance
Hide thumbs
Also See for ASA Series:
- Cli configuration manual (2164 pages) ,
- Getting started (31 pages) ,
- Mount and connect (12 pages)
Table of Contents
Advertisement
Examples for Cisco Cloud Web Security
Start > Administrative Tools > Domain Controller Security Policy
Local policies > Audit Policy > Audit account logon events (success and failure)
(Back on the ASA.) Test the AD Agent.
Step 5
The following example shows how to configure the test Active Directory Agent so that it can
communicate with the ASA:
hostname# test aaa-server ad-agent adagent
Server IP Address or name: 192.168.116.220
INFO: Attempting Ad-agent test to IP address <192.168.116.220> (timeout: 12 seconds)
INFO: Ad-agent Successful
See also the following command: show user-identity ad-agent.
Step 6
Configure the Identity Options on the ASA.
The following example shows how to configure the identity options on the ASA:
hostname(config)# user-identity domain ASASCANLAB aaa-server AD
hostname(config)# user-identity default-domain ASASCANLAB
Configure the User Identity Options and Enabling Granular Reporting.
Step 7
The following example shows how to configure the user identity options that send user credentials to the
ASA and enable granular user reporting from the proxy server:
hostname(config)# user-identity inactive-user-timer minutes 60
hostname(config)# user-identity action netbios-response-fail remove-user-ip
hostname(config)# user-identity user-not-found enable
hostname(config)# user-identity action mac-address-mismatch remove-user-ip
hostname(config)# user-identity ad-agent active-user-database full-download
There are two download modes with Identify Firewall: Full download and On-demand.
Full download—Whenever a user logs into the network, the IDFW tells the ASA the User identity
•
immediately (recommended on the ASA 5512-X and above).
On-demand—Whenever a user logs into the network, the ASA requests the user identity from AD.
•
If you are using more than one domain, then enter the following command:
hostname(config)# user-identity domain OTHERDOMAINNAME
Monitor the Active Directory Groups.
Step 8
The following example shows how to configure Active Directory groups to be monitored:
hostname(config)# user-identity monitor user-group ASASCANLAB\\GROUPNAME1
hostname(config)# user-identity monitor user-group ASASCANLAB\\GROUPNAME2
hostname(config)# user-identity monitor user-group ASASCANLAB\\GROUPNAME3
Remember to save your configuration once the above is completed.
Step 9
Download the Entire Active-User Database from the Active Directory Server.
The following command updates the specified import user group database by querying the Active
Directory server immediately without waiting for the expiration of poll-import-user-group-timer:
hostname(config)# user-identity update import-user
Step 10
Download the Database from the AD Agent.
The following example shows how to manually start the download of the database from the Active
Directory Agent if you think the user database is out of sync with Active Directory:
hostname(config)# user-identity update active-user-database
Cisco ASA Series Firewall CLI Configuration Guide
8-18
Chapter 8
ASA and Cisco Cloud Web Security
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
