02-10-2014 06:46 AM - edited 03-11-2019 08:43 PM
Hello,
I'd like to implement identity firewall on Cisco ASA. I've been reading the following doc,
https://supportforums.cisco.com/docs/DOC-20366
however, in my case I have two Windows Domain Controller, named FoA for example, where the agent is also installed, and
two other Windows Domain Controller, named FoB for example. Actually users are in FoB Domain Controllers AD. My question is .. for I cannot query directly FoB I'd like to create a one way trust from FoA to FoB, then firewalls should query FoA. Do you think it can works ?
I hope my question is understandable
Thank you
Solved! Go to Solution.
02-12-2014 10:13 AM
The workstation also has to be a member of the domain. So the end user must log into the domain from from a workstation on the domain.
Hope that helps!
Sent from Cisco Technical Support Android App
02-10-2014 09:08 AM
Hi,
Is your AD environment a single forest with multiple domains or multiforest and multiple domains?
If its single forest then there should already be an inherent two-way trust between the domains.
If its multi forest then a two way trust will need to be established between the domains or a two-way forest trust relationship can be established.
Thanks!
02-12-2014 08:09 AM
I give up the domain trust solution so I will install agent on DC where I have users to include in identity-based access rules. Let me ask you one more question: User identity-IP address mapping is possible if a user is in active directory but his pc is not in that domain?
02-12-2014 10:13 AM
The workstation also has to be a member of the domain. So the end user must log into the domain from from a workstation on the domain.
Hope that helps!
Sent from Cisco Technical Support Android App
02-13-2014 05:27 AM
Thanks,
so let's suppose a user is in domain but not his workstation and hi is included into an identity-based access rule (regardless of the destination port), will a popup windows to authenticate be prompted to the user ?
02-14-2014 05:15 AM
No the asa will not prompt for authentication, there is no mechanism for the ASA to do that.
Thanks,
Joe
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: