Filter
Top Products
13-9
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 13 Managing Identity-Aware Firewall Policies
Configuring Identity-Aware Firewall Policies
Microsoft AD servers are the only type of LDAP server that you can use in the identity firewall
configuration. You must also abide by the following limitations for communications between
Security Manager and Active Directory:
–
Do not select the Enable LDAP over SSL option.
–
Do not select the SASL Kerberos Authentication option. Only simple and SASL MD5
authentication mechanisms are supported. The simple mechanism, in which usernames and
passwords are transmitted in clear text, is used if you do not select one of the SASL options.
• AD agents—Must use the RADIUS protocol. In the AAA server group object, select the AD Agent
Mode option.
You should install the AD agents and configure them prior to configuring this policy. You can
configure at most two AD agents in the server group: the second agent is used only if the first agent
ceases to respond to queries. Any agents defined after the first two are ignored.
Obtain the AD agent software from http://www.cisco.com/go/asa. For information on setting up and
configuring the AD agent, see Installation and Setup Guide for the Active Directory Agent on
Cisco.com.
Related Topics
• Requirements for Identity-Aware Firewall Policies, page 13-3
• Understanding AAA Server and Server Group Objects, page 6-24
• Creating AAA Server Objects, page 6-29
• AAA Server Dialog Box—LDAP Settings, page 6-37
• Creating AAA Server Group Objects, page 6-45
• Configuring Identity Options, page 13-15
Step 1 Do one of the following:
• (Device view) Select an ASA device, then select Identity Options from the Policy selector. Select
the AD Setup tab.
• (Policy view) Select Identity Options (ASA) from the Policy selector. Select an existing policy or
create a new one. Select the AD Setup tab.
Step 2 If you want to be guided through the AD setup, click the Configure Identity button to start the Identity
configuration wizard. The wizard walks you through the process of configuring the AD servers for a
domain, and the AD agents, and can create the required AAA server and AAA server group objects for
you.
The wizard goes through the following steps:
• AD Server Settings—To configure the AD servers for a domain. See Identity Configuration Wizard
Active Directory Settings, page 13-11.
• AD Agent Settings—To configure the AD agents for the ASA. See Identity Configuration Wizard
Active Directory Agent, page 13-13.
• Preview—To show you which objects will be created. See Identity Configuration Wizard Preview,
page 13-15.