Cisco Systems CL-28826-01 Security Camera User Manual


  Open as PDF
of 2616
 
13-24
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 13 Managing Identity-Aware Firewall Policies
Configuring Identity-Aware Firewall Policies
You can configure cut-through proxy to account for this possibility. With cut-through proxy, if a user is
blocked, the user can sign on directly to the ASA, and the ASA will update the user-to-IP mapping to
correctly reflect the current IP address for the user. The new mapping is forwarded to all contexts that
contain the interface where the HTTP/HTTPS packets are received and authenticated.
You use AAA rules to configure cut-through proxy. You have two configuration choices, based on
whether there is one or more NetBIOS domains in the network:
Single domain—Configure a regular AAA rule for authentication and specify the LDAP server
group that identifies the Active Directory servers for the domain. Use “any” for the source, and the
IP address of the ASA for the destination. For service, you can include HTTP and HTTPS. Then,
when the user needs to authenticate to the server, the user enters one of the standard authentication
URLs, where interface_ip is the IP address of the interface and port is optionally the port number,
if you specify a non-default port for the protocol in the interactive authentication table:
http://interface_ip[:port]/netaccess/connstatus.html or
https://interface_ip[:port]/netaccess/connstatus.html.
Tip The user-to-IP mapping is put under the same domain as configured for the selected AD server group. If
you use another means for authentication, the mapping is placed under the LOCAL domain.
Multiple domains—Configure two authentication rules that use the User-Identity option instead of
a specific AAA server group. The following procedure explains this setup. Note that this setup also
works for single domain networks. Users authenticate to the ASA using the same URLs mentioned
above.
When you use the User-Identity option, authentication is handled as follows:
If the user includes the domain in the login credentials, in the format DOMAIN\username, the
ASA uses the domain to determine which AD server to use for authentication based on the
domain mappings in the Identity Options policy. If no AAA server is mapped to the domain, the
authentication attempt is rejected.
If the login credentials do not include an identifiable domain name (typically, if the \ character
is not included in the username string), the ASA uses the AD server assigned to the default
domain selected in the Identity Options policy. If no AAA server is mapped to the default
domain, the authentication attempt will be rejected.
Tip Cut-through proxy works for IPv4 addresses only; IPv6 is not supported.
Related Topics
Requirements for Identity-Aware Firewall Policies, page 13-3
Configuring the Firewall to Provide Identity-Aware Services, page 13-7
Configuring AAA Rules for ASA, PIX, and FWSM Devices, page 15-4
Understanding How Users Authenticate, page 15-2
Step 1 Configure the Identity Options policy to specify all of the NetBIOS domains and their AD server groups,
and the AD agent group, for the network, as described in Identifying Active Directory Servers and
Agents, page 13-8.
Step 2 Do one of the following to open the AAA Rules Page, page 15-10:
(Device view) Select Firewall > AAA Rules from the Policy selector.