cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1016
Views
0
Helpful
3
Replies

ASA Basic URL Filtering based on Active Directory Group?

I have a client who is looking to upgrade their current firewall / proxy.  The customer currently only uses the proxy to filter who is allowed access to the internet.  I am looking to solve this problem on a single device (ASA).  In particular they have an ASA 5510 but would be looking to upgrade it.  They currently classify users as "no internet", "selected sites", "internet", and "full access" in AD (Win Srv 2012).  "No Internet" users are blocked to all sites except a few sites like UPS and their time clock SaaS provider.  "Selected Sites" are allowed to a list of sites that the IT manager updates.  "Internet" and "Full Access" are now similar in that they are allowed to all sites. (Use to have URL category filtering but don't subscribe anymore.)

I am looking to have the firewall check AD to see what group the user is in and then apply a rule (access list, etc) based on the group.

Ideally, I would like to make this as simple to manage as possible (current proxy has web interface to add sites to allow) but don't want to spend a ton on modules and software just to get 1 feature.

 

3 Replies 3

Vibhor Amrodia
Cisco Employee
Cisco Employee

Hi,

I think this can be achieved using the Identity Firewall configuration on the ASA device:-

http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/asdm70/configuration_guide/asdm_70_config/aaa_idfw.html

Note:- This feature has been introduced from ASA 8.4.2

You would need CDA for it to work.

Thanks and Regards,

Vibhor Amrodia

Unfortunately, as I understand it, this solution allows an IP based on username.  Since they use remote desktop services and most users would end up having the same IP (of the Terminal Server Host), it would allow everyone on the TS, not just the individual user.

 

You're correct - Identity Firewall features don't work in the use case of multiple TS users coming from the same address. There is an unresolved enhancement request filed for this issue.

Even if you had a 5500-X series with WSE and AVC NGFW services on the CX module and use identity-based policies there, you still have the constraint that the CX maps authenticated users to IP addresses to record that a given source has been authenticated. Reference.

A non-Cisco solution is available for this use case using Palo Alto Networks' User-ID Terminal Services agent in conjunction with their firewall. Reference.

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: