Configure Active Directory Agents - Cisco ASA Series Configuration Manual

Chapter 5 Identity Firewall

Configure Active Directory Agents

Configure the primary and secondary AD Agents for the AD Agent Server Group. When the ASA detects
that the primary AD Agent is not responding and a secondary agent is specified, the ASA switches to
the secondary AD Agent. The Active Directory server for the AD agent uses RADIUS as the
communication protocol; therefore, you should specify a key attribute for the shared secret between the
ASA and AD Agent.
Before You Begin
•
•
To configure the AD Agents, perform the following steps:
Procedure
Create the AAA server group and configure AAA server parameters for the AD Agent.
Step 1
aaa-server server-tag protocol radius
Example:
hostname(config)# aaa-server adagent protocol radius
Enable the AD Agent mode.
Step 2
ad-agent-mode
Example:
hostname(config)# ad-agent-mode
Step 3 Configure the AAA server as part of a AAA server group and the AAA server parameters that are
host-specific for the AD Agent.
aaa-server server-tag [(interface-name)] host {server-ip | name} [key] [timeout seconds]
Example:
hostname(config-aaa-server-group)# aaa-server adagent (inside) host 192.168.1.101
Specify the server secret value used to authenticate the ASA to the AD Agent server.
Step 4
key key
Example:
hostname(config-aaa-server-host)# key mysecret
Define the server group of the AD Agent.
Step 5
user-identity ad-agent aaa-server aaa_server_group_tag
Example:
hostname(config-aaa-server-hostkey)# user-identity ad-agent aaa-server adagent
The first server defined in the aaa_server_group_tag argument is the primary AD Agent and the second
server defined is the secondary AD Agent. The Identity Firewall supports defining only two AD Agent
hosts.
AD agent IP address
Shared secret between the ASA and AD agent
Configure the Identity Firewall
Cisco ASA Series Firewall CLI Configuration Guide
5-13