Configure Identity-Based Security Policy - Cisco ASA Series Configuration Manual
Firewall cli, asa services module, and the adaptive security virtual appliance
Hide thumbs
Also See for ASA Series:
- Cli configuration manual (2164 pages) ,
- Getting started (31 pages) ,
- Mount and connect (12 pages)
Table of Contents
Advertisement
Configure the Identity Firewall
For the aaa_server_group_tag argument, enter the value defined by the aaa-server command.
Configure Identity-Based Security Policy
You can incorporate identity-based policy in many ASA features. Any feature that uses extended ACLs
(other than those listed as unsupported in the
advantage of an identity firewall. You can now add user identity arguments to extended ACLs, as well
as network-based parameters.
Features that can use identity include the following:
Access rules—An access rule permits or denies traffic on an interface using network information.
•
With an identity firewall, you can control access based on user identity. See the firewall
configuration guide.
•
AAA rules—An authentication rule (also known as cut-through proxy) controls network access
based on the user. Because this function is very similar to an access rule plus an identity firewall,
AAA rules can now be used as a backup method of authentication if a user's AD login expires. For
example, for any user without a valid login, you can trigger a AAA rule. To ensure that the AAA
rule is only triggered for users that do not have valid logins, you can specify special usernames in
the extended ACL used for the access rule and for the AAA rule: None (users without a valid login)
and Any (users with a valid login). In the access rule, configure your policy as usual for users and
groups, but then include a AAA rule that permits all None users; you must permit these users so they
can later trigger a AAA rule. Then, configure a AAA rule that denies Any users (these users are not
subject to the AAA rule, and were handled already by the access rule), but permits all None users.
For example:
access-list 100 ex permit ip user CISCO\xyz any any
access-list 100 ex deny ip user CISCO\abc any any
access-list 100 ex permit ip user NONE any any
access-list 100 ex deny any any
access-group 100 in interface inside
access-list 200 ex deny ip user ANY any any
access-list 200 ex permit user NONE any any
aaa authenticate match 200 inside user-identity
For more information, see the legacy feature guide.
Cloud Web Security—You can control which users are sent to the Cloud Web Security proxy server.
•
In addition, you can configure policy on the Cloud Web Security ScanCenter that is based on user
groups that are included in ASA traffic headers sent to Cloud Web Security. See the firewall
configuration guide.
•
VPN filter—Although a VPN does not support identity firewall ACLs in general, you can configure
the ASA to enforce identity-based access rules on VPN traffic. By default, VPN traffic is not subject
to access rules. You can force VPN clients to abide by access rules that use an identity firewall ACL
(with the no sysopt connection permit-vpn command). You can also use an identity firewall ACL
with the VPN filter feature; a VPN filter accomplishes a similar effect by allowing access rules in
general.
Related Topics
Chapter 3, "Access Control Lists."
•
Configure Local User Groups, page 2-7
•
Cisco ASA Series Firewall CLI Configuration Guide
5-18
Guidelines for the Identity Firewall, page
Chapter 5
Identity Firewall
5-7) can take
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
