Support User Manuals

Cisco Systems CL-28826-01 Security Camera User Manual

Open as PDF

of 2616

13-4

User Guide for Cisco Security Manager 4.4

OL-28826-01

Chapter 13 Managing Identity-Aware Firewall Policies

Overview of Identity-Aware Firewall Policies

AD agent You must configure off-box AD agents to act as an intermediary

between the ASA and the AD servers. The AD agent maintains an

active mapping of users to IP address.

By default, except for the 5505, the ASA obtains this list when it boots

or reloads, and the AD agent sends new mappings as they are collected.

The 5505 queries the AD agent on an as-needed basis in response to

traffic matching rules that include identity criteria. We recommend that

you use this default behavior, although you can change it using the

Identity Options policy.

The AD agent uses the RADIUS protocol.

For information on setting up and configuring the AD agent, see

Installation and Setup Guide for the Active Directory Agent on

Cisco.com at

http://www.cisco.com/en/US/products/ps6120/prod_installation_guide

s_list.html.

Client systems Users who pass traffic through the device must use one of the following

client platforms:

• Windows XP SP3.

• Windows Vista.

• Windows 7.

• Other systems that use Active Directory in a manner consistent

with the explicitly supported platforms.

IPv6 IPv6 is supported with the following exceptions:

• NetBIOS over IPv6 is not supported.

• Multiple IPv6 addresses on user workstations is not supported.

Windows 64-bit systems can use temporary IPv6 addresses when

initiating some communications. If a user registers with the AD

agent using one IPv6 address, then initiates communication with

another address, an identity-aware firewall rule for the user would

not be applied and instead a rule that matches the second IPv6

address would be applied.

There are two options for disabling the use of these temporary

addresses:

–

Disable IPv6 routing advertisements on all interfaces on all

networking devices in the network.

–

On each Windows machine, open a command window, enter

the following commands, and reboot the workstation:

netsh interface ipv6 set privacy state=disable

netsh interface ipv6 set global

randomizeidentifiers=disabled

Table 13-1 Requirements for Identity-Aware Firewall Policies (Continued)

Requirement Description

previous next