Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Windows Active Directory

Can I use AAA Radius on a ASA 5505 to block outgoing user access by user name in a group? Thanks

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Silver

Re: Windows Active Directory

Hello,

I think that you might be interested on Checking the new ASA 8.4 Feature: Identity Firewall

Identity Firewall


Typically, a firewall is not aware of the user identities and, therefore, cannot apply security policies based on identity.


The Identity Firewall in the ASA provides more granular access control  based on users' identities. You can configure access rules and security  policies based on usernames and user groups name rather than through  source IP addresses. The ASA applies the security policies based on an  association of IP addresses to Windows Active Directory login  information and reports events based on the mapped usernames instead of  network IP addresses.


The Identity Firewall integrates with Window Active Directory in  conjunction with an external Active Directory (AD) Agent that provides  the actual identity mapping. The ASA uses Windows Active Directory as  the source to retrieve the current user identity information for  specific IP addresses.


In an enterprise, some users log onto the network by using other  authentication mechanisms, such as authenticating with a web portal  (cut-through proxy) or by using a VPN. You can configure the Identity  Firewall to allow these types of authentication in connection with  identity-based access policies.


We introduced or modified the following commands: user-identity enable, user-identity default-domain, user-identity domain, user-identity logout-probe, user-identity inactive-user-timer, user-identity poll-import-user-group-timer, user-identity action netbios-response-fail, user-identity user-not-found, user-identity action ad-agent-down, user-identity action mac-address-mismatch, user-identity action domain-controller-down, user-identity ad-agent active-user-database, user-identity ad-agent hello-timer, user-identity ad-agent aaa-server, user-identity update import-user, user-identity static user, ad-agent-mode, dns domain-lookup, dns poll-timer, dns expire-entry-timer, object-group user, show user-identity, show dns, clear configure user-identity, clear dns, debug user-identity, test aaa-server ad-agent.

Please find the Configuration Guide Chapter referring to the Identity Firewall attached.

Hope this points you into the right direction.

Regards.

2 REPLIES
Silver

Re: Windows Active Directory

Hello,

I think that you might be interested on Checking the new ASA 8.4 Feature: Identity Firewall

Identity Firewall


Typically, a firewall is not aware of the user identities and, therefore, cannot apply security policies based on identity.


The Identity Firewall in the ASA provides more granular access control  based on users' identities. You can configure access rules and security  policies based on usernames and user groups name rather than through  source IP addresses. The ASA applies the security policies based on an  association of IP addresses to Windows Active Directory login  information and reports events based on the mapped usernames instead of  network IP addresses.


The Identity Firewall integrates with Window Active Directory in  conjunction with an external Active Directory (AD) Agent that provides  the actual identity mapping. The ASA uses Windows Active Directory as  the source to retrieve the current user identity information for  specific IP addresses.


In an enterprise, some users log onto the network by using other  authentication mechanisms, such as authenticating with a web portal  (cut-through proxy) or by using a VPN. You can configure the Identity  Firewall to allow these types of authentication in connection with  identity-based access policies.


We introduced or modified the following commands: user-identity enable, user-identity default-domain, user-identity domain, user-identity logout-probe, user-identity inactive-user-timer, user-identity poll-import-user-group-timer, user-identity action netbios-response-fail, user-identity user-not-found, user-identity action ad-agent-down, user-identity action mac-address-mismatch, user-identity action domain-controller-down, user-identity ad-agent active-user-database, user-identity ad-agent hello-timer, user-identity ad-agent aaa-server, user-identity update import-user, user-identity static user, ad-agent-mode, dns domain-lookup, dns poll-timer, dns expire-entry-timer, object-group user, show user-identity, show dns, clear configure user-identity, clear dns, debug user-identity, test aaa-server ad-agent.

Please find the Configuration Guide Chapter referring to the Identity Firewall attached.

Hope this points you into the right direction.

Regards.

New Member

Windows Active Directory

Carlos, Thanks you for the quick response and your answer. I will review the document. Thanks again Tom

836
Views
0
Helpful
2
Replies
CreatePlease to create content