Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
dal
New Member

Major flaw in Identity Firewall?

Hi!

I have just configured identity firewall on our ASA 5510.

I have 3 nodes that authenticates against Active Directory, using the Windows Server 2008 R2 builtin Network Policy Server:

A laptop, a stationary PC, and a Android Phone. All 3 nodes are authenticated using the same user/password.

Now, in ASDM -> Monitoring -> Properties -> Identity -> Users, I can see two of the nodes with my user name attached to it, namely the laptop and the stationary PC.

But not the Android phone.

Then it dawned on me. To set up the ADAgent properly, you have to apply 2 group policy entries. Unfortunately, those 2 entries are applied to the Computer Configuraton part of the Group Policy!!

This means that your COMPUTER has to be a member of your domain for USER IDENTITY to work.

Err. hello?

So my Android phone and other nodes not a member of the AD Machine Store will never be detected by identity rules, and can roam the network free.

If this isn't a major flaw, I don't know what is.

Unless, of course, there is something I have completely misunderstood.

Please tell me that I have.

2 REPLIES
Cisco Employee

Major flaw in Identity Firewall?

Hello,

For devices that are not joined to the AD domain, the IDFW feature supports learning username to IP mappings via VPN or cut-through proxy authentication. The configuration guide describes this type of deployment:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/access_idfw.html#wp1372180

-Mike

dal
New Member

Major flaw in Identity Firewall?

Hi, thank you for answering.

So users are being forced to log in 2 times every time they want to access the net?

Does not seem very user friendly to me.

I cannot see any good reason why a computer is a dependency in a USER identity awareness.

Just another example that Cisco should stick to what they can (routing and switching), everything else they seem to be clueless about.

415
Views
0
Helpful
2
Replies
CreatePlease to create content