Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ASA Basic URL Filtering based on Active Directory Group?

Unanswered Question
Sep 22nd, 2014
User Badges:

I have a client who is looking to upgrade their current firewall / proxy.  The customer currently only uses the proxy to filter who is allowed access to the internet.  I am looking to solve this problem on a single device (ASA).  In particular they have an ASA 5510 but would be looking to upgrade it.  They currently classify users as "no internet", "selected sites", "internet", and "full access" in AD (Win Srv 2012).  "No Internet" users are blocked to all sites except a few sites like UPS and their time clock SaaS provider.  "Selected Sites" are allowed to a list of sites that the IT manager updates.  "Internet" and "Full Access" are now similar in that they are allowed to all sites. (Use to have URL category filtering but don't subscribe anymore.)

I am looking to have the firewall check AD to see what group the user is in and then apply a rule (access list, etc) based on the group.

Ideally, I would like to make this as simple to manage as possible (current proxy has web interface to add sites to allow) but don't want to spend a ton on modules and software just to get 1 feature.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Christopher Baker Sun, 10/05/2014 - 10:22
User Badges:

Unfortunately, as I understand it, this solution allows an IP based on username.  Since they use remote desktop services and most users would end up having the same IP (of the Terminal Server Host), it would allow everyone on the TS, not just the individual user.


Marvin Rhoads Sun, 10/05/2014 - 10:44
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,
  • Cisco Designated VIP,

    2017 Firewalling, Network Management, VPN

You're correct - Identity Firewall features don't work in the use case of multiple TS users coming from the same address. There is an unresolved enhancement request filed for this issue.

Even if you had a 5500-X series with WSE and AVC NGFW services on the CX module and use identity-based policies there, you still have the constraint that the CX maps authenticated users to IP addresses to record that a given source has been authenticated. Reference.

A non-Cisco solution is available for this use case using Palo Alto Networks' User-ID Terminal Services agent in conjunction with their firewall. Reference.



This Discussion