Cisco ASA Series Configuration Manual page 77
Firewall cli, asa services module, and the adaptive security virtual appliance
Hide thumbs
Also See for ASA Series:
- Cli configuration manual (2164 pages) ,
- Getting started (31 pages) ,
- Mount and connect (12 pages)
Table of Contents
Advertisement
Chapter 5
Identity Firewall
When this command is configured, the ASA removes the user identity-IP address mapping for that client.
By default, the ASA uses the remove-user-ip keyword when this command is specified.
Define how the ASA retrieves the user identity-IP address mapping information from the AD Agent.
Step 12
user-identity ad-agent active-user-database {on-demand | full-download}
Example:
hostname(config)# user-identity ad-agent active-user-database full-download
By default, the ASA uses the full-download option.
Full-download—Specifies that the ASA send a request to the AD Agent to download the entire
•
IP-user mapping table when the ASA starts and then to receive incremental IP-user mapping
information when users log in and log out. Full downloads are event driven, meaning that when there
are subsequent requests to download the database, just the updates to the user identity-IP address
mapping database are sent.
•
On-demand—Specifies that the ASA retrieve the user mapping information of an IP address from
the AD Agent when the ASA receives a packet that requires a new connection, and the user of its
source IP address is not in the user-identity database.
When the ASA registers a change request with the AD Agent, the AD Agent sends a new event to the
ASA.
Define the hello timer between the ASA and the AD Agent.
Step 13
user-identity ad-agent hello-timer seconds seconds retry-times number
Example:
hostname(config)# user-identity ad-agent hello-timer seconds 20 retry-times 3
The hello timer between the ASA and the AD Agent defines how frequently the ASA exchanges hello
packets. The ASA uses the hello packet to obtain ASA replication status (in-sync or out-of-sync) and
domain status (up or down). If the ASA does not receive a response from the AD Agent, it resends a hello
packet after the specified interval.
By default, the hello timer is set to 30 seconds and 5 retries.
Enable the ASA to keep track of the last event time stamp that it receives for each identifier and to
Step 14
discard any message if the event time stamp is at least 5 minutes older than the ASA's clock, or if its
time stamp is earlier than the last event's time stamp.
user-identity ad-agent event-timestamp-check
Example:
hostname(config)# user-identity ad-agent event-timestamp-check
For a newly booted ASA that does not have knowledge of the last event time stamp, the ASA compares
the event time stamp with its own clock. If the event is at least 5 minutes older, the ASA does not accept
the message.
We recommend that you configure the ASA, Active Directory, and Active Directory agent to synchronize
their clocks among themselves using NTP.
Define the server group of the AD Agent.
Step 15
user-identity ad-agent aaa-server aaa_server_group_tag
Example:
hostname(config)# user-identity ad-agent aaa-server adagent
Configure the Identity Firewall
Cisco ASA Series Firewall CLI Configuration Guide
5-17
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
