ASA: IDFW (Identity Firewall) Step by Step configuration

Document

Nov 14, 2011 7:42 PM
Nov 14th, 2011

Goal

With Identity firewall, we can configure access-list and allow/restrict permission based on users and/or groups that exist in the Active Directory Domain.

Documentation

This  configuration example is meant to be interpreted with the aid of the  official documentation from the configuration guide located here:

AD-Agent Configuration

ASA-CLI

ASA-ASDM

Prerequisite

The ASA must be running minimum 8.4.2 code to be able to configure IDFW feature.

The AD Agent must be installed on a Windows server that is accessible to the ASA. Additionally, you must configure the AD Agent to obtain  information from the Active Directory servers. Configure the AD Agent to communicate with the ASA.

Supported Windows servers include Windows 2003, Windows 2008, and Windows 2008 R2.

Windows 2003 R2 is not supported for the AD Agent server.

ASA sends encrypted log in information to the  Active Directory server by using SSL enabled over LDAP. SSL must be enabled on the Active Directory server.

Limitations

A full URL as a destination address is not supported.

•     MAC address checking by the Identity Firewall does not work when intervening routers are present.

The following ASA features do not support using the identity-based object and FQDN:

route-map

Crypto map

WCCP

NAT

group-policy (except VPN filter)

DAP

Scenarios

Feature is supported in all models of ASAs.

Feature is supported in all modes of ASAs - transparent, routed, single and multiple-context mode.

Total users supported - ASA5505 (1024 users), Other model ASAs support 64K users

Total groups supported - 256 groups

Total number of IPs per user in a domain - 8 IP addresses

AD Agent can support up to 100 client devices and  30 domain controller machines, and can internally cache up to 64,000  IP-to-user-identity mappings.

ASA - The Identity Firewall supports defining only two AD-Agent hosts. This applies to single as well as multiple contexts. Each context can support only 2 AD-Agents.

DescriptionTopology

DC and AD-Agent Co-loated on the same box. No redundancy. The step by step configuration below is based off of this topology.

no-redundancy.jpg

DC and AD-Agent on different boxes. No redundancy.

no-redundance-dc-ada.jpg

Multiple DCs and Single AD-Agent - all on separate boxes.

Offers redundancy.

many-dc-one-ada.jpg

Multiple DCs and multiple AD-Agent - all on separate boxes. Offers redundancy. For example if you have 30 domain controllers, you would need 2 AD-Agent boxes. Each AD-Agent will have all 30 DCs configured on it to receive login/logoff events from. You would configure both the AD-Agents on the ASA. ASA will talk to only one AD-Agent at a time and use the other as backup.

If you have more than 30 domain controllers, then consider multiple context. Each context follows the same IDFW rules. Each context can support only 2 AD-Agents. 

multi-dc-multi-ada.jpg

Licensing for IDFW

Base License - All Models

Topology

topology.jpg

Step by Step Configuration

1. 1. Configure the Active Directory Domain (on the ASA)

Gather the following information:

a. AD Domain Controller Server IP address

b. Distinguished Name for LDAP base dn

c. Create a UserID and password on the DC that the ASA/IDFW will use to connect to the DC (Domain Controller)

The DC's name is kurelisankar.DC1.SAMPLE.com. By configuring the ldap-base-dn,

AD server will know where it should begin searching when it receives an authorization request.

KUSANKAR-ASA-5505(config)# aaa-server AD1 protocol ldap

KUSANKAR-ASA-5505(config-aaa-server-group)#aaa-server AD1 (inside) host 192.168.2.2

KUSANKAR-ASA-5505(config-aaa-server-host)# ldap-base-dn DC=DC1,DC=SAMPLE,DC=com

KUSANKAR-ASA-5505(config-aaa-server-host)# ldap-scope subtree

KUSANKAR-ASA-5505(config-aaa-server-host)# server-type microsoft

KUSANKAR-ASA-5505(config-aaa-server-host)# server-port 389

By default the ASA talks to the DC using port tcp 389. If SSL is enabled on the DC then we need to enable ldap-over-ssl on the ASA as well, and also configure server-port 636 so the ASA can talk to the DC using port 636. This is optional.

KUSANKAR-ASA-5505(config-aaa-server-host)# ldap-over-ssl enable

KUSANKAR-ASA-5505(config-aaa-server-host)# server-port 636

Configure the userID (kusankar) and password on the AD Server for the ASA to be able to log into the AD Domain.

create-user-in-AD.jpg

hostname(config-aaa-server-host)# ldap-login-dn DC1\kusankar ("ldap-login-dn kusankar" is also correct)

hostname(config-aaa-server-host)# ldap-login-password cisco123

If configuring via ADSM watch the screen shot below to create the AAA server group:

aaa-server.jpg

2. 2. Configure the AD Agent either on the DC or on a member server in the domain

Download AD Agent installer from here: http://tools.cisco.com/squish/930d9 File Name: AD_Agent-v1.0.0.32-build-539-Installer.exe

In this example the AD Agent is installed on the Domain Controller.  The AD Agent as the folloiwng components.

  1. Radius Server - Interacts with the ASA
  2. AD Observer - Monitors AD Domains Controllers and updates the Agent DB.
  3. WatchDog - Monitors AD Observer and Radius
  4. CLI - commands to add the ASA as well as the DC on the AD Agent.

a. Install AD Agent on the DC or member server.

The installer will install the AD Agent in the C:\IBF\ (IBF - Identity Based Firewall) directory of the Windows machine.

idagen-install-4.jpg

Clicking on the "show details" button will show the files being copied.

idagen-install-3.jpg

b. Confirm the AD_Agent install

Go to the command prompt on the Windows machine and run "adactrl.exe show running" from the path C:\IBF\CLI

The output similar to this will be seen.


AD-Agent.jpg

c. Sending logs from the AD Agent to a syslog server (optional)

From the command line prompt, type "cd C:\IBF\CLI" and then enter the command:

adacfg syslog create -name kiwi-server -ip 192.168.2.3

If you need help with the options type "adacfg help syslog".

adacft-syslog-help.jpg

d. Configure the AD Agent to obtain information from all the DCs

  • The DCs should run one of the following OS versions and already be a member in the domain.

         Windows 2003 R2 is not supported for the AD Agent server.

Windows Server 2003

Windows Server 2008 

Windows Server 2008 R2

For 2008 servers should have http://support.microsoft.com/kb/958124 and http://support.microsoft.com/kb/973995 hotfixes installed.

For 2008 R2 either SP1 or http://support.microsoft.com/kb/981314 hotfix should be installed.

  • Make sure the windows firewall or other firewall are not enabled on the DCs. If it does't, then make sure the WMI exceptions are allowed per this link http://tools.cisco.com/squish/d3694
adacfg client create

  • From the command line prompt, type cd C:\IBF\CLI  (create the ASA as a client on the AD Agent Server). The -secret is the Radius-shared-secret.
   adacfg client create –name KUSANKAR-ASA-5505 –ip 192.168.2.1/32 –secret cisco 
At the command prompt type "adacfg help client" to get the options and sample command syntax
ad-agent-config.jpg
adacfg dc create
  • From the command line prompt, type cd  C:\IBF\CLI (create all the DCs from which the AD Agent will receive logon logoff events)

     Gather the following information

     DC - Name

     DC - Host name or FQDN

     DC - user (must be a member of domain admin group)

     Password of the above user-ID

To find the FQDN

  1. On the Windows Taskbar, click Start > Programs > Administrative Tools > Active Directory Domains and Trusts.
  2. In the left pane of the Active Directory Domains and Trusts  dialog box, look under Active Directory Domains and Trusts. The FQDN for  the computer or computers is listed.
adacfg dc create -name KS -host kurelisankar -domain dc1.sample.com -user Administrator -password ww

adacfg-dc-create.jpg

Once the DC has been added via the "adacfg dc create" command, we can verify the status by the "adacfg dc list" command and make sure the DC shows "UP".

dc-satus.jpg

  • Make sure the DCs are configured to send logon logoff events to the security event log.

a. To enable 672/673 (or 4768/4769 for Windows 2008 ) logon events in the Domain Controller event log, choose Start > Administrative Tools > Domain Controller Security Policy on each Domain Controller machine.

b. Choose Security Settings > Local Policies > Audit Policy.

c. Define the policy setting for the Audit Account login events policy (audit success). See screen shot below:

audit-success.jpg

  • Make sure the WMI (Windows Management Instrumentation) Service is started on the AD Agent and the Domain Controllers and the firewall on both these units are either turned off or are allowing the following ports. The following list does not include the dynamically allocated (random) port numbers that are used by WMI.

     1645, 1646, 1812, 1813 - udp

     888 - tcp      

3. 3. Configure the AD Agent on the ASA

ASA config:

Gather the following information:

a. AD Agent IP address (AD Agent could be installed on the DC)

b. Shared secret between ASA and AD agent  (cisco)

KUSANKAR-ASA-5505(config)# aaa-server adagent protocol radius

KUSANKAR-ASA-5505(config-aaa-server-group)# ad-agent-mode

KUSANKAR-ASA-5505(config-aaa-server-group)#aaa-server adagent (inside) host 192.168.2.2

KUSANKAR-ASA-5505(config-aaa-server-host)# key cisco

KUSANKAR-ASA-5505(config-aaa-server-hos)# user-identity ad-agent aaa-server adagent

Here is the screen shot to configure it from the ASDM side:

ad-agent-config-on-asa.jpg

Ping and AD-Agent test from the ASA and ping test from AD-Agent:


Test the connectivity between ASA and the adagent with the command "test aaa-server ad-agent adagent".  This test will be successful only if the "name" that was used in "adacfg dc create -name KS -host kurelisankar -domain dc1.sample.com -user Administrator -password ww", in this case "KS" can be resolved to the DC's IP address. The netbios name KS here is case sentisive.

From AD-Agent:

ping-name.jpg

From ASA:

KUSANKAR-ASA-5505# ping KS.dc1.sample.com

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms


KUSANKAR-ASA-5505# test aaa-server ad-agent adagent

Server IP Address or name: 192.168.2.2

INFO: Attempting Ad-agent test to IP address <192.168.2.2> (timeout: 12 seconds)

INFO: Ad-agent Successful

4. 4. Configure Identity Options on the ASA

Configure user-identity config on the ASA. user-identity domain can be  different from the e-mail domain of the company or the domain-name  configured on the ASA. The domain name comes from the simple NETBIOS name of the Active Directory Domain. How to find the NETBIOS name of the AD domain? Very simple. Look at the screen shot below. NETBIOS name is case sensitive. If this is incorrect then the ASA will not make a query out on port 389 to get the users and groups from the AD Server.

NETBIOS-name.jpg

hostname(config)#user-identity domain DC1 aaa-server AD1

hostname(config)#user-identity default-domain DC1

User-identity config on the ASDM side:

user-identity.jpg

user-identity optional setting:

** The following commands are optional **

hostname(config)# user-identity logout-probe netbios local-system probe-time minutes 10 retry-in seconds 10 retry-count 2 user-not-needed

hostname(config)# user-identity inactive-user-timer minutes 120

hostname(config)# user-identity poll-import-user-group-timer hours 1

hostname(config)# user-identity action netbios-response-fail remove-user-ip

hostname(config)# user-identity user-not-found enable  

hostname(config)# user-identity action mac-address-mismatch remove-user-ip

hostname(config)# user-identity ad-agent active-user-database full-download

user-identity optional setting from ASDM that matches the above settings:

user-identity-optional-setting.jpg

5. 5. Configure Identity-based (AD user/group based) Access Rules on the ASA.

hostname(config)# object-group user USERS

hostname(config-user-object-group)# user DC1\user1

hostname(config-user-object-group)# user-group DC1\\specialists

hostname(config-user-object-group)# exit

access-list inside-acl extended permit ip user DC1\user1 any host 10.10.10.10

access-list inside-acl extended permit ip user-group DC1\\specialists any host 20.20.20.10

access-list inside-acl extended permit ip object-group-user USERS any host 4.2.2.2


Here is the equivalent of the above from ASDM.
object-group user :
object-group-user.jpg

ACL configuration using user, group and object-group-user:
ASDM-ACL.jpg

Show commands

show user-identity user active show user-identity user active domain DC1show user-identity user active domain DC1 list

KUSANKAR-ASA-5505# sh user-identity user active domain DC1 list detail

Total active users: 1    Total IP addresses: 1

  DC1: 1 users, 1 IP addresses

  DC1\Administrator: 0 active conns; idle 0 mins

    192.168.2.2: login 99 mins, idle 0 mins, 0 active conns

show user-identity user inactive show user-identity user inactive domain DC1

KUSANKAR-ASA-5505# show user-identity user inactive user-group DC1\\specialists

Total inactive users: 1

  DC1\user2


show user-identity user all

show user-identity user all list

KUSANKAR-ASA-5505# show user-identity user all list detail

Total users: 3    Total IP addresses: 1

  DC1\Administrator: 2 active conns; idle 0 mins

    192.168.2.2: login 114 mins, idle 0 mins, 2 active conns

    169.254.218.201: inactive

    169.254.25.142: inactive

  DC1\user1: 0 active conns

  DC1\user2: 0 active conns


This below command shows all the IP addresses for which the ASA hasn't received IP to USER mapping from the AD-Agent.

KUSANKAR-ASA-5505# sh user-identity user-not-found

10.117.14.72

14.36.100.2

14.36.1.106

14.36.109.44

14.36.1.206

14.36.254.80

14.36.1.36

172.18.254.1


This below command shows the groups that have been activation via access-group, policy-map or caputre.

KUSANKAR-ASA-5505# sh user-identity group

Group ID    Activated Group Name (Domain\\Group)

--------    ------------------------------------

       1    DC1\\specialists

       2    LOCAL\\USERS

This below command gives a good status about the Domain from the ad-agent point of view.

show user-identity ad-agent statistics

KUSANKAR-ASA-5505# sh user-identity ad-agent

Primary AD Agent:

Status                    up (registered)

Mode:                     full-download

IP address:               192.168.2.2

Authentication port:      udp/1645

Accounting port:          udp/1646

ASA listening port:       udp/3799

Interface:                inside

Up time:                  17 hours 16 mins

Average RTT:              0 msec

AD Domain Status:

Domain DC1:               up


This below command displays all the groups that the ASA has received from the Domain Controller. Output is partial.

KUSANKAR-ASA-5505# show user-identity ad-groups DC1

Domain:DC1    AAA Server Group: AD1

Group list retrieved successfully

Number of Active Directory Groups: 38


dn: CN=DHCP Administrators,CN=Users,DC=DC1,DC=SAMPLE,DC=com

sAMAccountName: DHCP Administrators


sAMAccountName: Domain Users

dn: CN=Domain Guests,CN=Users,DC=DC1,DC=SAMPLE,DC=com

sAMAccountName: Domain Guests

dn: CN=Group Policy Creator Owners,CN=Users,DC=DC1,DC=SAMPLE,DC=com


dn: CN=Technologists,CN=Users,DC=DC1,DC=SAMPLE,DC=com

sAMAccountName: Technologists

dn: CN=Specialists,CN=Users,DC=DC1,DC=SAMPLE,DC=com

sAMAccountName: Specialists


If you need to query one particular group then use this command below:

KUSANKAR-ASA-5505# sh user-identity ad-groups DC1 filter specialists

Domain:DC1    AAA Server Group: AD1

Group list retrieved successfully

Number of Active Directory Groups: 1

dn: CN=Specialists,CN=Users,DC=DC1,DC=SAMPLE,DC=com

sAMAccountName: Specialists


If you need to filter one particular user then, issue this command below

KUSANKAR-ASA-5505# sh user-identity ad-user DC1 filter user1       

Domain:DC1    AAA Server Group: AD1

User list retrieved successfully

Number of Active Directory Users: 1

dn: CN=Ashley Smith,CN=Users,DC=DC1,DC=SAMPLE,DC=com

sAMAccountName: user1


If you need to see the connections opend by user-identity users issue this command below

KUSANKAR-ASA-5505# sh conn user-identity

9 in use, 4379 most used

TCP outside 172.18.109.166:8014 inside 192.168.2.2:3190, idle 0:04:15, bytes 626, flags UO

TCP outside 172.28.128.140:443 dmz 14.36.109.44:4604, idle 0:00:00, bytes 0, flags saA

TCP outside 172.24.180.18:443 dmz 14.36.109.44:4603, idle 0:00:01, bytes 0, flags saA

TCP outside 10.117.14.72:53999 inside (DC1\Administrator) 192.168.2.2:5900, idle 0:00:00, bytes 21614768, flags UIOB

If you need to know the IP mapping of a user you can issue this command below

KUSANKAR-ASA-5505# sh user-identity ip-of-user DC1\Administrator det

DC1\192.168.2.2 (Login) Login time: 150 mins; Idle time: 0 mins; 2 active conns

If you need user maping of an IP then issue this command below

KUSANKAR-ASA-5505# sh user-identity user-of-ip 192.168.2.2

DC1\Administrator (Login)

KUSANKAR-ASA-5505#

KUSANKAR-ASA-5505#


If you need user mapping of a group then issue this commnad below. New users added to an AD group, takes about 8 hours

for the ASA to get the user-group mappings from the AD. We can do that manually on the ASA by "user-identity update import-user"

and make sure they all users that belong in the group show up by issuing "show user-i user-of-gorup CHAS\\monkey" and check the user-group mappings.

KUSANKAR-ASA-5505#show user-i user-of-gorup CHAS\\monkey

Other useful show commands:

show user-identity statistics user

show user-identity statistics top user

sh asp table classify domain user-statistics

Debugs

debug user-identity user

debug user-identity user-group

debug user-identity ad-agent

debug-user-identity ldap

debug user-identity logout-probe

debug user-identity acl

debug user-identity tmatch

debug user-identity fqdn

debug user-identity process

debug user-identity debug

debug user-identity error

debug ldap 255

Syslogs

746001-746019

Common Problems

6. AD Agent is unable to talk to the DC - ADObserver debug log shows ERROR: Failed to register

How to enable adobserver debug log:

In the AD-Agent computer under the folder IBF\adobserver  there is a file named "logconfig.ini". We need to enable debug log in this file by changing LOG_NONE to LOG_DEBUG and restarting the AD Agent service.

[logger]

;this is the logging level

;logging levels are: LOG_VERBOSE, LOG_DEBUG, LOG_INFO, LOG_WARN, LOG_ERROR, LOG_FATAL

;to disable log, set LOG_LEVEL=LOG_NONE, this is the default.

LOG_LEVEL=LOG_DEBUG


Problem: The adObserver debug logs give the following:

Thu Jan 05 10:03:18 2012: ~~~~  Logger Started!      Logging Level: LOG_DEBUG  ~~~~

Thu Jan 05 10:03:18 2012: INFO: ------------ IBF PIP++ adObserver (version 1.0.0.32, build 539) started ------------

Thu Jan 05 10:03:18 2012: INFO: NOTE: Using real IPs (did not find ADO_RANDOM_IP in environment)

Thu Jan 05 10:03:18 2012: DEBUG: Initializing Winsock

Thu Jan 05 10:03:18 2012: DEBUG: Winsock Initialized

Thu Jan 05 10:03:18 2012: DEBUG: Found local machine FQDN: praprama.praprama1.DC.cisco.com

Thu Jan 05 10:03:18 2012: INFO: Connecting to configuration server

Thu Jan 05 10:03:18 2012: INFO: Configuration loaded successfully from server

Thu Jan 05 10:03:18 2012: DEBUG: EventCallback and DcStatusCallback initialized successfully

Thu Jan 05 10:03:18 2012: DEBUG: Notifier Thread: thread message queue initiated successfully

Thu Jan 05 10:03:18 2012: DEBUG: Notifier thread started successfully

Thu Jan 05 10:03:18 2012: INFO: adding dc: prap with guid: 1325786574-4-436376122

Thu Jan 05 10:03:18 2012: EXCEPTION OCCURED: .\DcMonitor.cpp:373    getDcVersion: Error with ConnectServer for DC: dc name: praprama hostname: praprama domain: praprama1.DC.cisco.com username: Administrator password: <hidden>    Error code: 80041064

Thu Jan 05 10:03:18 2012: .\DcMonitor.cpp:373    getDcVersion: Error with ConnectServer for DC: dc name: praprama hostname: praprama domain: praprama1.DC.cisco.com username: Administrator password: <hidden>    Error code: 80041064

Thu Jan 05 10:03:18 2012: EXCEPTION OCCURED: .\DcMonitor.cpp:136    Could not find dc version (in addDc) for DC: dc name: praprama hostname: praprama domain: praprama1.DC.cisco.com username: Administrator password: <hidden>

Thu Jan 05 10:03:18 2012: ERROR: Failed to register DC: dc name: prap hostname: praprama domain: praprama1.DC.cisco.com username: Administrator password: <hidden>. Error returned: .\DcMonitor.cpp:136    Could not find dc version (in addDc) for DC: dc name: praprama hostname: praprama domain: praprama1.DC.cisco.com username: Administrator password: <hidden>.  Will wait for next DC list update from configuration server

Checking the DC from the AD Agent box may show the following:

C:\IBF\CLI>adacfg dc list
Name Host/IP      Username      Domain-Name Latest Status
---- ------------ ------------- ----------- -------------
prap praprama Administrator             down

Solution:

Host name has to be the netbios case sensitive name. If that does not work then add the DC using it FQDN.

So, instead of using this line

C:\IBF\CLI>adacfg dc create -name prap -host praprama -domain praprama1.DC.cisco.com -user Administrator -password Cisco123

change the above line to the following:

C:\IBF\CLI>adacfg dc create -name prap -host  praprama.praprama1.DC.cisco.com -domain praprama1.DC.cisco.com -user Administrator -password Cisco123

7. LDAP server test may fail

Problem

Ldap server test may fail with the following message:

Hostname# test aaa-server authentication ADPROFILE username xxxxx password xxxxxx

Server IP Address or name: 172.20.100.10

INFO: Attempting Authentication test to IP address <172.20.100.10> (timeout: 12 seconds)

ERROR: Authentication Server not responding: AAA Server has been removed

Captures taken on the ASA "cap capin int inside match tcp any host 172.20.100.10" may show the following:

indicating strong authentication required - meaning ldap over ssl.

ldap-ssl.jpg

Testing from ASDM may show this error:

error-ldap-test.jpg

Solution:

adding ldap over ssl in the config will resolve the issue.

    aaa-server AD1 protocol ldap

    aaa-server AD1 (inside) host 172.20.110.10

    ldap-over-ssl enable

    server-port 636

8. AD may not send ip address/logon to the ASA

Problem

debugs (debug user-identity ad-agent) may show the following:

idfw_proc[0]: radius query result OK(0), notify caller

idfw_proc[0]: [ADAGENT] radius request STATUS succeeded

idfw_proc[0]: [ADAGENT] domain 'TESTVPN' not configured

ASA config lines show the following:

user-identity domain testvpn.it aaa-server DC01

user-identity default-domain testvpn.it


Solution

Change the config lines on the ASA to reflect the "case" that we see in the debugs

user-identity domain TESTVPN aaa-server DC01

user-identity default-domain TESTVPN


Now the debugs show the following:

idfw_adagent[0]: [ADAGENT] processing RADIUS request from 192.168.2.100/5851

idfw_adagent[0]: [ADAGENT] update 192.168.2.213 <-> TESTVPN\user01 iptype 0 origin 0.0.0.0

idfw_adagent[0]: [ADAGENT] reply CoA-ACK to 192.168.2.100/56086

Average Rating: 5 (9 ratings)

Comments

manisharora111 Mon, 12/05/2011 - 12:15

Thanks Kureli !!! are their any plans adding websense kind of feature to this enhancement ?

Thanks again

Manish

Poonguzhali Sankar Mon, 12/05/2011 - 13:15 (reply to manisharora111)

Not that I have heard. We have

- ironport wccp

- botnet - also with ironport

- CSC module for certain models of ASA - for content

Websense is for content and based off of destination address/URL.

If you look at the limitations up above the first bullet says is all. We cannot do destination based URL only fqdn. Objects can take fqdn and we can call object under object-group. For example you can allow or deny to yahoo.com but not yahoo.com/index.html

https://supportforums.cisco.com/docs/DOC-20366#Limitations

<Edit>

I forgot to mention about scan safe. Pls. read here:

-Kureli

oscar.perez@cal... Thu, 09/26/2013 - 11:49 (reply to Poonguzhali Sankar)

I am doing some research and looking specifically for wccp redirection to Ironport based on IDFW. It says that feature is not supported but later on you mentioned:

Not that I have heard. We have

- ironport wccp

- botnet - also with ironport

- CSC module for certain models of ASA - for content

Is that functionality now supported?

Thanks,

Oscar Perez

h.tuytela Tue, 01/03/2012 - 07:07

Hi Kureli,

Interesting feature and good doc.  Is it however mandatory to use a client on the AD controller ?  I don't like the idea of putting client software on servers for this purpose only, especially since ldaps overcomes some of the security concerns.

Thanks,

Hans

rmeans Tue, 03/13/2012 - 08:16

I am deploying a 5585x within my server environment.  Initially the firewall will be used more for gathering information and later used to provide access control.

Is it required to have the ASA talk directly to AD?  If I deploy the ad agent and set up the ASA, will I get logging that identifies the user?  For example, my ASA that handles remote access VPN tags log messages with a user id.  Matching a user id with an IP address will be helpful.

%ASA-6-302013: Built inbound TCP connection 1 for outside:172.17.1.61/3839 (172.17.1.61/3839) to inside:192.168.210.80/80 (192.168.210.80/80) (AAA user id)

munurewan1 Sat, 03/24/2012 - 06:20

I am runing ASA 8.4(2), adagent 1.0.0.32 windows 2003 server standard. adagent works fine, shows its status up  and pulls the username to ip address binding for 1-2 minutes. after that it loses the binding. I have checkd the WMI on the server which is ruining, client machine firewall turned off. ldap test and ad agent test from the firewall works fine. user login/log off have been turned on DC.

below is the code configured in asa

aaa-server ad-agent protocol radius

ad-agent-mode

aaa-server ad-agent (inside) host 10.1.4.100

key *****

radius-common-pw *****

aaa-server 10.1.4.100 protocol ldap

aaa-server 10.1.4.100 (inside) host 10.1.4.100

ldap-base-dn dc=munu,dc=com

ldap-group-base-dn dc=munu,dc=com

ldap-scope subtree

ldap-login-password *****

ldap-login-dn cn=Administrator,cn=Users,dc=munu,dc=com

server-type microsoft

user-identity domain munu aaa-server 10.1.4.100

user-identity default-domain munu

user-identity logout-probe netbios local-system probe-time minutes 1 retry-interval seconds 3 retry-count 3 match-any

user-identity ad-agent aaa-server ad-agent

user-identity user-not-found enable

Any idea on this issue.

Thanks,

Rewanta

munurewan1 Sat, 03/24/2012 - 11:41 (reply to munurewan1)

Able to manage it working adding the following command in the adagent CLI

C:\IBF\CLI>adacfg options set -userLogonTTL 3600

as adagent was taking a minute of userloginttl

thanks all

netgus2010 Thu, 04/26/2012 - 10:11

Hello,

I followed your subject and If I try to test with packet tracer I received this message: no active IPV4 address found user NETGUS\test

I check every parameters and I didn't met any problem or error message.

My ASA used 8.4(3) and ASDM 6.4(7).

Cisco AD Agent adacfg -- version 1.0.0.32, build 539  (Windows 2008 R2)

(Built from sources last modified 2011-05-16 20:52:05 +0300)

C:\IBF\CLI>adacfg.exe dc list

Name           Host/IP                    Username      Domain-Name Latest Status

-

fr-poi-dc-01   fr-poi-dc-01.netgus.corp   administrator NETGUS      up          (DC with Windows 2008 R2)

fr-poi-w8r2-02 fr-poi-w8r2-02.netgus.corp Administrator NETGUS      up      (DC with Windows 2008 R2)

C:\IBF\CLI>adactrl.exe show running

running C:\\IBF\\watchdog\\radiusServer.bat since 2012- 4-26 T17: 5: 4

running C:\\IBF\\watchdog\\adObserver.bat since 2012- 4-26 T17: 5: 4

SA5505# test aaa-server ad-agent ADAGENTSRV

Server IP Address or name: 192.168.1.28

INFO: Attempting Ad-agent test to IP address <192.168.1.28> (timeout: 12 seconds)

INFO: Ad-agent Successful

user-identity domain NETGUS aaa-server ADSRV

user-identity default-domain NETGUS

user-identity action netbios-response-fail remove-user-ip

user-identity logout-probe netbios local-system

user-identity ad-agent aaa-server ADAGENTSRV

user-identity user-not-found enable

ASA5505# test aaa-server authentication ADSRV (LDAP)

Server IP Address or name: 192.168.1.49

Username: test

Password: *********

INFO: Attempting Authentication test to IP address <192.168.1.49> (timeout: 12 seconds)

INFO: Authentication Successful

But:

ASA5505# sh user-identity user active domain NETGUS list detail

Total active users: 0    Total IP addresses: 0

  NETGUS: 0 users, 0 IP addresses

Thu Apr 26 16:50:43 2012: EXCEPTION OCCURED: .\ADObserverConfig.cpp:85    loadOptions: could not connect to configuration server: 127.0.0.1/pip. returned error: Couldn't connect to server

Thu Apr 26 16:51:04 2012: EXCEPTION OCCURED: .\ADObserverConfig.cpp:125    Could not load adoExtendedHistoryItems from configuration server!

Thu Apr 26 17:05:28 2012: EXCEPTION OCCURED: .\ADObserverConfig.cpp:85    loadOptions: could not connect to configuration server: 127.0.0.1/pip. returned error: Couldn't connect to server

Thu Apr 26 17:05:50 2012: EXCEPTION OCCURED: .\ADObserverConfig.cpp:85    loadOptions: could not connect to configuration server: 127.0.0.1/pip. returned error: Couldn't connect to server

Thu Apr 26 17:06:10 2012: EXCEPTION OCCURED: .\ADObserverConfig.cpp:125    Could not load adoExtendedHistoryItems from configuration server!

What I do like extra test?

Any idea on this issue.

Thanks,

Bruno

fabasoft-534 Tue, 05/08/2012 - 04:32

Hi,

your document is real great work!

For me to understand - how is the use-case LOGOFF from the client solved -

I have seen in my lab that the RADIUS CoA process is only triggered with LOGON.

So the ASA is told only LOGON events from the AD-Agent - and the idle timeout is

the last chance to age out. To Use the Identity Firewall again the user has to LOGOFF and LOGON

again.

thanks,

Herbert

christian.geissler Sun, 09/23/2012 - 23:57

Hello

i have the same problem with the username to IP mapping.

Is the error on the Windows server side??

Cisco konfig looks ok

radius and ldap authentication test are OK, when configure rules i also can browse the ldap ...

Any ideas??

Poonguzhali Sankar Tue, 09/25/2012 - 07:48 (reply to fabasoft-534)

Even though AD-Agent and domains are all active, it is still possible  that the IP addresses' user identities may not be accurate. This is a  constraint of the Windows AD logout mechanism. Windows does not report  logout events to the AD domain controller. In addition, users can just  suspend their computer, de-dock their laptop and move to another  location...etc. All these events cannot be detected, and their IP  addresses, while still valid on both AD-Agent and ASA, may be used by  other users.

To expire the user identity of IP addresses, by default the ASA  removes the user identity from an IP address if there is no activity  from the IP address for 60 minutes based on the following configuration:

   user-identity inactive-user-timer minutes 60

-Kureli
cristian-popescu Mon, 10/15/2012 - 08:06

Hi,

What happens if multiple users are mapped with the same IP (nat-ed clients or different sessions from the same machine)? First allowed user with that IP will open the way for the rest, even if the others don't have access?

Thanks,

Cristian

pete_paiva@merck.com Mon, 11/12/2012 - 10:39

Hi Kureli,

We're looking at the identity firewall for our shopfloor/manufacturing environments.  This doc looks great, going to follow this now and test it in the lab.

Thanks,

Pete

Poonguzhali Sankar Tue, 10/22/2013 - 07:38 (reply to pete_paiva@merck.com)

Glad to hear Pete.  Sorry just saw these messages on my doc.  AD agent has been replaced with CDA now.  It is free and runs as a VM.  Very easy install.  What did you all decide? ASA-CX with CDA is great.  Have you tried that out?

-Kureli

amaathuis Wed, 11/21/2012 - 07:05

Hi,

I have the same question like Cristian. Is the IBF compatible with a terminal server / SBC environment ?

It looks like the ASA can only have 1 ip-to-name binding.

Thanks,

Arvid

shakeerali Sun, 02/03/2013 - 10:33

Hi,

I followed all the steps... n i didnt receive any error also... but when i give this command

NABASA1# sh user-identity user active domain ROBIAN list detail

Total active users: 0    Total IP addresses: 0

  ROBIAN: 0 users, 0 IP addresses

can any one help me?

Thanks...

Capture.JPGCapture1.JPGCapture3.JPG

Poonguzhali Sankar Thu, 03/07/2013 - 09:00 (reply to shakeerali)

Shakeer,

You probably need to do "debug user-id all" on the ASA and see what it prints.

1. When you login using a PC as this user, does the AD log a message in the security logs about you logging in?

2. Is that messages being sent to the AD Agent? You can enable debug log on Ad-agent and find that out.

3. Is that message getting passed down to the ASA?

IDFW cases take a bit to troubleshoot as there are many moving part involved.  It would be best if you could open a TAC case and work with an engineer.

-Kureli

lvaschetti Fri, 02/22/2013 - 05:02

Hi,

     Great article, excelent detail level. I'm afraid I'm not able to see the "Identity Options" menu nor "User" column in Access Rules.

     Do I have to enable anything to be able to access to Identity Options? I have an ASA 5510 Sec Bundle

Thanks in advance..!

adil.nasser3 Wed, 10/16/2013 - 13:16 (reply to lvaschetti)

I am thinking to set up Identity Firewall functionality too for our environment.  I had a couple of questions.  Is the new version of AD Agent now called CDA (Context Directory Agent)?  Also will this support Windows 2012?

shakeerali Thu, 03/07/2013 - 21:10

Hi,

I did contacted TAC and the issue is now resolved. The issue was mismatch password. ( ASA user account password that we created in DC).

Thanks....

krakken Thu, 04/11/2013 - 06:41

If I am using the ASA as an Anyconnect gateway and the users are authenticated by AD/LDAP on the ASA, do I still need the AD-Agent?

tajmanone Sun, 06/30/2013 - 10:01

Hello Kureli,

This article is very useful and well detailed.  I've configured an ASA using the scenario of installing the AD Agent on a separate machine from the DC.  When I test from the ASA I can reach the agent successfully however when I test access to the DC I get a low memory error dialog similar to the one error box in your article.  Does this mean that I have to increase the memory on my the agent server?

kazaros-kazaros Sun, 08/25/2013 - 12:36

hi

Somebody solved a problem of several users using one IP address? as a rule at use of Windows terminal servers

panfilov.d Thu, 09/19/2013 - 20:22

hi all.

In Windows 7 clients do not work. in xp everything works fine.

empirically found that I do with service "net send" in windows 7 it is not.

What to do?

aman.diwakar Tue, 10/01/2013 - 09:06

Great job Kureli, it really helped me set this up quickly, although, most of us are trying to set this up with an account that does not have domain admin rights and getting Permissions right in Windows is NOT easy, the way to get permission to read the security event log is really bad and tedious and convoluted. Does anyone have an easy way to setup the Security Event log read permissions to a non Domain Admins user?

Poonguzhali Sankar Tue, 10/22/2013 - 07:39 (reply to aman.diwakar)

I hear you.  It is hard if the user isn't a domain admin. If you follow all the steps in our guide then, it just works perfectly.  Just takes some time.

-Kureli

Actions

Login or Register to take actions

This Document

Posted November 14, 2011 at 7:42 PM
Stats:
Comments:41 Avg. Rating:5
Views:52574 Contributors:26
Shares:1

Documents Leaderboard