Cisco ASA Series Cli Configuration Manual page 898

Task Flow for Configuring the Identity Firewall
Command
Step 13
hostname(config)# user-identity ad-agent hello-timer
seconds seconds retry-times number
Example:
hostname(config)# user-identity ad-agent hello-timer
seconds 20 retry-times 3
Step 14
hostname(config)# user-identity ad-agent aaa-server
aaa_server_group_tag
Example:
hostname(config)# user-identity ad-agent aaa-server
adagent
What to Do Next
Configure the Active Directory domain and server groups. See
Domain, page
Configure AD Agents. See
Configuring Identity-Based Security Policy
You can incorporate identity-based policy in many ASA features. Any feature that uses extended ACLs
(other than those listed as unsupported in the
advantage of identity firewall. You can now add user identity arguments to extended ACLs, as well as
network-based parameters.
•
•
Features that can use identity include the following:
•
•
Cisco ASA Series CLI Configuration Guide
1-18
1-10.
Configuring Active Directory Agents, page
To configure an extended ACL, see
To configure local user groups, which can be used in the ACL, see the
Groups" section on page 1-11.
Access rules—An access rule permits or denies traffic on an interface using network information.
With identity firewall, you can now control access based on user identity. See
"Configuring Access Rules."
AAA rules—An authentication rule (also known as "cut-through proxy") controls network access
based on user. Because this function is very similar to an access rule + identity firewall, AAA rules
can now be used as a backup method of authentication if a user's AD login expires. For example,
for any user without a valid login, you can trigger a AAA rule. To ensure that the AAA rule is only
triggered for users that do not have valid logins, you can specify special usernames in the extended
ACL used for the access rule and for the AAA rule: None (users without a valid login) and Any
(users with a valid login). In the access rule, configure your policy as usual for users and groups, but
then include a rule that permits all None users; you must permit these users so they can later trigger
a AAA rule. Then, configure a AAA rule that denies Any users (these users are not subject to the
AAA rule, and were handled already by the access rule), but permits all None users:
access-list 100 ex permit ip user CISCO\xyz any any
Chapter 1
Purpose
Defines the hello timer between the ASA and the AD
Agent.
The hello timer between the ASA and the AD Agent
defines how frequently the ASA exchanges hello
packets. The ASA uses the hello packet to obtain
ASA replication status (in-sync or out-of-sync) and
domain status (up or down). If the ASA does not
receive a response from the AD Agent, it resends a
hello packet after the specified interval.
By default, the hello timer is set to 30 seconds and 5
retries.
Defines the server group of the AD Agent.
For aaa_server_group_tag, enter the value defined
by the aaa-server command.
Configuring the Active Directory
"Guidelines and Limitations" section on page
Chapter 1, "Adding an Extended Access Control List."
Configuring the Identity Firewall
1-12.
1-7) can take
"Configuring Local User
Chapter 1,