Features Of The Identity Firewall - Cisco ASA Series Configuration Manual

Chapter 5 Identity Firewall
Figure 5-1
LAN
Client
1
2
3

Features of the Identity Firewall

The Identity Firewall includes the following key features.
Flexibility
•
•
Identity Firewall Components
NetBIOS Probe
WMI
AD Servers
On the ASA: Administrators configure local
user groups and Identity Firewall policies.
ASA <-> AD Server: The ASA sends an
LDAP query for the Active Directory groups
configured on the AD Server.
The ASA consolidates local and Active
Directory groups and applies access rules and
Modular Policy Framework security policies
based on user identity.
ASA <-> AD Agent: Depending on the
Identity Firewall configuration, the ASA
downloads the IP-user database or sends a
RADIUS request to the AD Agent that asks
for the user's IP address.
The ASA forwards the new mapped entries
that have been learned from web
authentication and VPN sessions to the AD
Agent.
The ASA can retrieve user identity and IP address mapping from the AD Agent by querying the AD
Agent for each new IP address or by maintaining a local copy of the entire user identity and IP
address database.
Supports host group, subnet, or IP address for the destination of a user identity policy.
ASA
mkg.example.com
AD Agent
4 Client <-> ASA: The client logs into the
network through Microsoft Active Directory.
The AD Server authenticates users and
generates user login security logs.
Alternatively, the client can log into the
network through a cut-through proxy or VPN.
5
ASA <-> Client: Based on the policies
configured on the ASA, it grants or denies
access to the client.
If configured, the ASA probes the NetBIOS of
the client to pass inactive and no-response
users.
6 AD Agent <-> AD Server: The AD Agent
maintains a cache of user ID and IP address
mapped entries. and notifies the ASA of
changes.
The AD Agent sends logs to a syslog server.
Cisco ASA Series Firewall CLI Configuration Guide
About the Identity Firewall
10.1.1.2
5-3