Configure Local User Groups - Cisco ASA Series Configuration Manual
Firewall cli, asa services module, and the adaptive security virtual appliance
Hide thumbs
Also See for ASA Series:
- Cli configuration manual (2164 pages) ,
- Getting started (31 pages) ,
- Mount and connect (12 pages)
Table of Contents
Advertisement
Chapter 2
Objects for Access Control
Configure Local User Groups
You can create local user groups for use in features that support the identity firewall by including the
group in an extended ACL, which in turn can be used in an access rule, for example.
The ASA sends an LDAP query to the Active Directory server for user groups globally defined in the
Active Directory domain controller. The ASA imports these groups for identity-based rules. However,
the ASA might have localized network resources that are not defined globally that require local user
groups with localized security policies. Local user groups can contain nested groups and user groups that
are imported from Active Directory. The ASA consolidates local and Active Directory groups.
A user can belong to local user groups and user groups imported from Active Directory.
Because you can use usernames and user group names directly in an ACL, you need to configure local
user groups only if:
•
•
For information on how to enable the identity firewall, see
Procedure
Create or edit a user object group using the object name.
Step 1
hostname(config)# object-group user group_name
Example
hostname(config)# object-group user admins
Add users and groups to the user object group using one or more of the following commands. Use the
Step 2
no form of the command to remove an object.
•
•
•
Example
hostname(config-user-object-group)# user EXAMPLE\admin
hostname(config-user-object-group)# user-group EXAMPLE\\managers
hostname(config-user-object-group)# group-object local-admins
Step 3
(Optional) Add a description.
hostname(config-user-object-group)# description string
You want to create a group of users defined in the LOCAL database.
You want to create a group of users or user groups that are not captured in a single user group defined
on the AD server.
user [domain_NETBIOS_name\]username—A username. If there is a space in the domain name or
username, you must enclose the domain name and user name in quotation marks. The domain name
can be LOCAL (for users defined in the local database) or an Active Directory (AD) domain name
as specified in the user-identity domain domain_NetBIOS_name aaa-server
aaa_server_group_tag command. When adding users defined in an AD domain, the user_name must
be the Active Directory sAMAccountName, which is unique, instead of the common name (cn),
which might not be unique. If you do not specify a domain name, the default is used, which is either
LOCAL or the one defined on the user-identity default-domain command.
user-group [domain_NETBIOS_name\\]username—A user group. If there is a space in the domain
name or group name, you must enclose the domain name and group name in quotation marks. Note
the double \\ that separates the domain and group names.
group-object object_group_name—The name of an existing user object group.
Chapter 5, "Identity Firewall."
Cisco ASA Series Firewall CLI Configuration Guide
Configure Objects
2-7
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
