13-4
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 13 Managing Identity-Aware Firewall Policies
Overview of Identity-Aware Firewall Policies
AD agent You must configure off-box AD agents to act as an intermediary
between the ASA and the AD servers. The AD agent maintains an
active mapping of users to IP address.
By default, except for the 5505, the ASA obtains this list when it boots
or reloads, and the AD agent sends new mappings as they are collected.
The 5505 queries the AD agent on an as-needed basis in response to
traffic matching rules that include identity criteria. We recommend that
you use this default behavior, although you can change it using the
Identity Options policy.
The AD agent uses the RADIUS protocol.
For information on setting up and configuring the AD agent, see
Installation and Setup Guide for the Active Directory Agent on
Cisco.com at
http://www.cisco.com/en/US/products/ps6120/prod_installation_guide
s_list.html.
Client systems Users who pass traffic through the device must use one of the following
client platforms:
• Windows XP SP3.
• Windows Vista.
• Windows 7.
• Other systems that use Active Directory in a manner consistent
with the explicitly supported platforms.
IPv6 IPv6 is supported with the following exceptions:
• NetBIOS over IPv6 is not supported.
• Multiple IPv6 addresses on user workstations is not supported.
Windows 64-bit systems can use temporary IPv6 addresses when
initiating some communications. If a user registers with the AD
agent using one IPv6 address, then initiates communication with
another address, an identity-aware firewall rule for the user would
not be applied and instead a rule that matches the second IPv6
address would be applied.
There are two options for disabling the use of these temporary
addresses:
–
Disable IPv6 routing advertisements on all interfaces on all
networking devices in the network.
–
On each Windows machine, open a command window, enter
the following commands, and reboot the workstation:
netsh interface ipv6 set privacy state=disable
netsh interface ipv6 set global
randomizeidentifiers=disabled
Table 13-1 Requirements for Identity-Aware Firewall Policies (Continued)
Requirement Description