Cisco ASA Series Configuration Manual page 75

Firewall cli, asa services module, and the adaptive security virtual appliance
Hide thumbs Also See for ASA Series:
Table of Contents

Advertisement

Chapter 5
Identity Firewall
Associate the LDAP parameters defined for the AAA server for importing user group queries with the
Step 3
domain name.
user-identity domain domain_nickname aaa-server aaa_server_group_tag
Example:
hostname(config)# user-identity domain SAMPLE aaa-server ds
For the domain_nickname argument, enter a name of up to 32 characters consisting of [a-z], [A-Z],
[0-9], [!@#$%^&()-_=+[]{};,. ] except '.' and ' ' at the first character. If the domain name includes a
space, you must enclose that space character in quotation marks. The domain name is not case sensitive.
Step 4
Enable NetBIOS probing.
user-identity logout-probe netbios local-system probe-time minutes minutes retry-interval
seconds seconds retry-count times [user-not-needed | match-any | exact-match]
Example:
hostname(config)# user-identity logout-probe netbios local-system probe-time minutes 10
retry-interval seconds 10 retry-count 2 user-not-needed
Enabling this option configures how often the ASA probes the user client IP address to determine
whether the client is still active. By default, NetBIOS probing is disabled. To minimize the NetBIOS
packets, the ASA only sends a NetBIOS probe to a client when the user has been idle for more than the
specified number of minutes.
Exact-match—The username of the user assigned to the IP address must be the only one in the
NetBIOS response. Otherwise, the user identity of that IP address is considered invalid.
User-not-needed—As long as the ASA received a NetBIOS response from the client, the user
identity is considered valid.
The Identity Firewall only performs NetBIOS probing for those users identities that are in the active state
and exist in at least one security policy. The ASA does not perform NetBIOS probing for clients where
the users logged in through cut-through proxy or by using a VPN.
Specify the amount of time before a user is considered idle, meaning the ASA has not received traffic
Step 5
from the user's IP address for the specified amount of time.
user-identity inactive-user-timer minutes minutes
Example:
hostname(config)# user-identity inactive-user-timer minutes 120
When the timer expires, the user's IP address is marked as inactive and removed from the local cached
user identity-IP address mapping database, and the ASA no longer notifies the AD Agent about that IP
address. Existing traffic is still allowed to pass. When this command is specified, the ASA runs an
inactive timer even when the NetBIOS Logout Probe is configured.
By default, the idle timeout is set to 60 minutes. This option does not apply to VPN or cut-through proxy
users.
Specify the amount of time before the ASA queries the Active Directory server for user group
Step 6
information.
user-identity poll-import-user-group-timer hours hours
Example:
hostname(config)# user-identity poll-import-user-group-timer hours 1
Configure the Identity Firewall
Cisco ASA Series Firewall CLI Configuration Guide
5-15

Hide quick links:

Advertisement

Table of Contents
loading

Table of Contents