Looking at implementing IDFW by vpn authentication, http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/access_idfw.html#wp1372180,
The ASA reports users logging in through VPN authentication or a web portal (cut-through proxy) to the AD Agent, which distributes the user information to all registered ASA devices. Specifically, the user identity-IP address mappings of authenticated users are forwarded to all ASA contexts that contain the input interface where packets are received and authenticated.
What I want to do is create identity aware access rules.
Lets suppose a user authenticate through vpn ASA firewall by ldap on AD. Vpn ASA firewall reports identity-IP address mappings to AD agent. AD agent reports identity-IP address mappings to all the other firewalls. Then I can create identity aware access rules on all the other firewalls ? Is it so easy or am I missing something ?
I think Cisco agent just have to get a user AD domain logon event. Ldap logon auth through vpn or cut-through proxy yes (or SSO of course if it is a domain workstation) but not sure about radius auth (don't think so).
Another thing to be aware of is remote VPN access. When you remote VPN on, you get authenticated to the firewall. This could be via local ASA accounts, Radius, TACACS, ACS, LDAP etc. If you use AAA LDAP authentication (using Active Directory in this case), you are not logging on to the domain as you VPN in, you are simply saying ‘here are my AD credentials, please authenticate me on the firewall’. At that point, one of two things happens with the Identity Firewall. If you are using a domain computer to remote on, that machine will automatically try to make contact with a DC. When it finds one (over the VPN), it will log on to the domain, create a security log and the AD agent will let the ASA know. Any rules assigned to that user, that don’t filter on source IP, will now come in to effect. However, if the machine is not joined to the domain, there will be no logon event (the username\password given at connection was only for VPN authentication), and so any user-identity ACLs will not apply.
..and actually on DC security events there are no logon events for machine not joined to the domain.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...