Cisco ASA Series Cli Configuration Manual page 899

Software version 9.0 for the services module

Hide thumbs Also See for ASA Series:

Configuration manual (429 pages)

Getting started (31 pages)

Mount and connect (12 pages)

Table of Contents

Configuring the Identity Firewall

AAA Rule and Access Rule Example 1

This example shows a typical cut-through proxy configuration to allow a user to log in through the ASA.

In this example, the following conditions apply:

hostname(config)# access-list AUTH extended permit tcp any 172.1.1.118 255.255.255.255 eq http

hostname(config)# access-list AUTH extended permit tcp any 172.1.1.118 255.255.255.255 eq https

hostname(config)# aaa-server LDAP protocol ldap

hostname(config-aaa-server-group)# aaa-server LDAP (inside) host 171.1.2.93

hostname(config-aaa-server-host)#

hostname(config-aaa-server-host)# aaa authentication match AUTH inside LDAP

hostname(config)#

hostname(config)# http server enable

hostname(config)# http 0.0.0.0 0.0.0.0 inside

hostname(config)#

hostname(config)# auth-prompt prompt Enter Your Authentication

hostname(config)# auth-prompt accept You are Good

hostname(config)# auth-prompt reject Goodbye

access-list 100 ex deny ip user CISCO\abc any any

access-list 100 ex permit ip user NONE any any

access-list 100 ex deny any any

access-group 100 in interface inside

access-list 200 ex deny ip user ANY any any -----> skips users who already logged in

access-list 200 ex permit user NONE any any

aaa authenticate match 200 inside user-identity

Chapter 1, "Configuring AAA Rules for Network Access."

Cloud Web Security—You can control which users are sent to the Cloud Web Security proxy server.

In addition, you can configure policy on the Cloud Web Security ScanCenter that is based on user

groups that are included in ASA traffic headers sent to Cloud Web Security. See

"Configuring the ASA for Cisco Cloud Web Security."

VPN filter—Although VPN does not support identity firewall ACLs in general, you can use

configure the ASA to enforce identity-based access rules on VPN traffic. By default, VPN traffic is

not subject to access rules. You can force VPN clients to abide by access rules that use an identity

firewall ACL (no sysopt connection permit-vpn command). You can also use an identity firewall

ACL with the VPN filter feature; VPN filter accomplishes a similar effect as allowing access rules

And many more...

The ASA IP address is 172.1.1.118.

The Active Directory domain controller has the IP address 71.1.2.93.

The end user client has the IP address 172.1.1.118 and uses HTTPS to log in through a web portal.

The user is authenticated by the Active Directory domain controller via LDAP.

The ASA uses the inside interface to connect to the Active Directory domain controller on the

corporate network.

ldap-base-dn DC=cisco,DC=com

ldap-group-base-dn DC=cisco,DC=com

ldap-scope subtree

ldap-login-dn cn=kao,OU=Employees,OU=Cisco

ldap-login-password *****

ldap-over-ssl enable

server-type microsoft

Task Flow for Configuring the Identity Firewall

----> these users will match AAA rule

Users,DC=cisco,DC=com

Cisco ASA Series CLI Configuration Guide

Show Quick Links

Chapters

Table of Contents

Troubleshooting

Cisco ASA Series Cli Configuration Manual page 899

Hide quick links:

Chapters

Troubleshooting

Related Manuals for Cisco ASA Series

Related Products for Cisco ASA Series

This manual is also suitable for:

Table of Contents