Filter
Top Products
13-8
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 13 Managing Identity-Aware Firewall Policies
Configuring Identity-Aware Firewall Policies
This section contains the following topics:
• Enabling Identity-Aware Firewall Services, page 13-8
• Creating Identity User Group Objects, page 13-19
• Selecting Identity Users in Policies, page 13-21
• Configuring Identity-Based Firewall Rules, page 13-21
• Configuring Cut-Through Proxy, page 13-23
• Collecting User Statistics, page 13-25
• Filtering VPN Traffic with Identity-Based Rules, page 13-26
Enabling Identity-Aware Firewall Services
Use the Identity Options policy to enable identity-aware firewall services. To configure the policy, do
one of the following:
• (Device view) Select an ASA device, then select Identity Options from the Policy selector.
• (Policy view) Select Identity Options (ASA) from the Policy selector. Select an existing policy or
create a new one.
The policy includes the following tabs:
• AD Setup—Configure the Active Directory servers that define the users and user groups for the
network, and the AD agent used to collect the information and provide it to the ASA. See Identifying
Active Directory Servers and Agents, page 13-8.
• Advanced—Enable or disable user identity services and configure options for error handling, the
NetBIOS logout probe, idle timeout, and AD agent communication settings. See Configuring
Identity Options, page 13-15.
Identifying Active Directory Servers and Agents
Use the AD Setup tab of the Identity Options policy to identify the Active Directory servers and agents
to use for user identity information. You must configure at least one AD server and one AD agent to
enable identity-aware firewall policies that include user specifications (such as identity user group
objects).
Note ASA Software 8.4(2+) is required for identity-aware firewall.
Before You Begin
The configuration uses AAA server group policy objects, and the server group objects incorporate AAA
server objects. You can create these objects through the Policy Object Manager (by selecting Manage >
Policy Objects), or you can create them while completing this procedure (by using the configuration
wizard or by clicking the Add Object + button in the object selector dialog box).
The objects need to meet these requirements:
• AD servers—Must use the LDAP protocol. If you select Microsoft as the LDAP server type, you can
also specify the LDAP Group Base DN to identify the base directory for user group searches, to
reduce search time. If you select Auto Detect, you cannot configure the group base DN, even though