Cisco ASA Series Cli Configuration Manual page 888
Software version 9.0 for the services module
Hide thumbs
Also See for ASA Series:
- Configuration manual (429 pages) ,
- Getting started (31 pages) ,
- Mount and connect (12 pages)
Table of Contents
Advertisement
Prerequisites
IPv6 Guidelines
•
•
Additional Guidelines and Limitations
•
•
•
•
•
•
•
•
Prerequisites
Before configuring the Identity Firewall in the ASA, you must meet the prerequisites for the AD Agent
and Microsoft Active Directory.
AD Agent
The AD Agent must be installed on a Windows server that is accessible to the ASA. Additionally, you
must configure the AD Agent to obtain information from the Active Directory servers. Configure the AD
Agent to communicate with the ASA.
Cisco ASA Series CLI Configuration Guide
1-8
Supports IPv6.
The AD Agent supports endpoints with IPv6 addresses. It can receive IPv6 addresses in log events,
maintain them in its cache, and send them through RADIUS messages.
NetBIOS over IPv6 is not supported
A full URL as a destination address is not supported.
For NetBIOS probing to function, the network between the ASA, AD Agent, and clients must
support UDP-encapsulated NetBIOS traffic.
MAC address checking by the Identity Firewall does not work when intervening routers are present.
Users logged onto clients that are behind the same router have the same MAC addresses. With this
implementation, all the packets from the same router are able to pass the check, because the ASA is
unable to ascertain to the actual MAC addresses behind the router.
The following ASA features do not support using the identity-based object and FQDN in an
extended ACL:
–
route-map
–
Crypto map
–
WCCP
–
NAT
–
group-policy (except VPN filter)
–
DAP
When you use the Cisco Context Directory Agent (CDA) in conjunction with the ASA or Cisco
Ironport Web Security Appliance (WSA), make sure that you open the following ports:
–
Authentication port for UDP—1645
–
Accounting port for UDP—1646
–
Listening port for UDP—3799
The listening port is used to send change of authentication requests from the CDA to the ASA
or to the WSA.
For domain names, the following characters are not valid: \/:*?"<>|. For naming conventions, see
http://support.microsoft.com/kb/909264.
For usernames, the following characters are not valid: \/[]:;=,+*?"<>|@.
For user groups, the following characters are not valid: \/[]:;=,+*?"<>|.
Chapter 1
Configuring the Identity Firewall
Hide quick links:
Advertisement
Chapters
Table of Contents
Troubleshooting
