Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco ASA identity firewall

Hello,

I'd like to implement identity firewall on Cisco ASA. I've been reading the following doc,

https://supportforums.cisco.com/docs/DOC-20366

however, in my case I have two Windows Domain Controller, named FoA for example, where the agent is also installed, and

two other Windows Domain Controller, named FoB for example. Actually users are in FoB Domain Controllers AD. My question is .. for I cannot query directly FoB I'd like to create a one way trust from FoA to FoB, then firewalls should query FoA. Do you think it can works ?

I hope my question is understandable

Thank you

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re:Cisco ASA identity firewall

The workstation also has to be a member of the domain. So the end user must log into the domain from from a workstation on the domain.

Hope that helps!


Sent from Cisco Technical Support Android App

5 REPLIES
New Member

Cisco ASA identity firewall

Hi,

Is  your AD environment a single forest with multiple domains or multiforest and multiple domains?

If its single forest then there should already be an inherent two-way trust between the domains.

If its multi forest then a two way trust will need to be established between the domains or a two-way forest trust relationship can be established.

Thanks!

New Member

Cisco ASA identity firewall

I give up the domain trust solution so I will install agent on DC where I have users to include in identity-based access rules. Let me ask you one more question: User identity-IP address mapping is possible if a user is in active directory but his pc is not in that domain?

New Member

Re:Cisco ASA identity firewall

The workstation also has to be a member of the domain. So the end user must log into the domain from from a workstation on the domain.

Hope that helps!


Sent from Cisco Technical Support Android App

New Member

Cisco ASA identity firewall

Thanks,

so let's suppose a user is in domain but not his workstation and hi is included into an identity-based access rule (regardless of the destination port), will a popup windows to authenticate be prompted to the user ?

New Member

Re: Cisco ASA identity firewall

No the asa will not prompt for authentication, there is no mechanism for the ASA to do that.

Thanks,
Joe

271
Views
0
Helpful
5
Replies
CreatePlease login to create content