The ASA must be running minimum 8.4.2 code to be able to configure IDFW feature.
The AD Agent must be installed on a Windows server that is accessible to the ASA. Additionally, you must configure the AD Agent to obtain information from the Active Directory servers. Configure the AD Agent to communicate with the ASA.
Supported Windows servers include Windows 2003, Windows 2008, and Windows 2008 R2.
Windows 2003 R2 is not supported for the AD Agent server.
ASA sends encrypted log in information to the Active Directory server by using SSL enabled over LDAP. SSL must be enabled on the Active Directory server.
•A full URL as a destination address is not supported.
• MAC address checking by the Identity Firewall does not work when intervening routers are present.
•The following ASA features do not support using the identity-based object and FQDN:
–group-policy (except VPN filter)
Feature is supported in all models of ASAs.
Feature is supported in all modes of ASAs - transparent, routed, single and multiple-context mode.
Total users supported - ASA5505 (1024 users), Other model ASAs support 64K users
Total groups supported - 256 groups
Total number of IPs per user in a domain - 8 IP addresses
AD Agent can support up to 100 client devices and 30 domain controller machines, and can internally cache up to 64,000 IP-to-user-identity mappings.
ASA - The Identity Firewall supports defining only two AD-Agent hosts. This applies to single as well as multiple contexts. Each context can support only 2 AD-Agents.
DC and AD-Agent Co-loated on the same box. No redundancy. The step by step configuration below is based off of this topology.
DC and AD-Agent on different boxes. No redundancy.
Multiple DCs and Single AD-Agent - all on separate boxes.
Multiple DCs and multiple AD-Agent - all on separate boxes. Offers redundancy. For example if you have 30 domain controllers, you would need 2 AD-Agent boxes. Each AD-Agent will have all 30 DCs configured on it to receive login/logoff events from. You would configure both the AD-Agents on the ASA. ASA will talk to only one AD-Agent at a time and use the other as backup.
If you have more than 30 domain controllers, then consider multiple context. Each context follows the same IDFW rules. Each context can support only 2 AD-Agents.
Licensing for IDFW
Base License - All Models
Step by Step Configuration
1. Configure the Active Directory Domain (on the ASA)
Gather the following information:
a. AD Domain Controller Server IP address
b. Distinguished Name for LDAP base dn
c. Create a UserID and password on the DC that the ASA/IDFW will use to connect to the DC (Domain Controller)
The DC's name is kurelisankar.DC1.SAMPLE.com. By configuring the ldap-base-dn,
AD server will know where it should begin searching when it receives an authorization request.
By default the ASA talks to the DC using port tcp 389. If SSL is enabled on the DC then we need to enable ldap-over-ssl on the ASA as well, and also configure server-port 636 so the ASA can talk to the DC using port 636. This is optional.
Once the DC has been added via the "adacfg dc create" command, we can verify the status by the "adacfg dc list" command and make sure the DC shows "UP".
Make sure the DCs are configured to send logon logoff events to the security event log.
a. To enable 672/673 (or 4768/4769 for Windows 2008 ) logon events in the Domain Controller event log, choose Start > Administrative Tools > Domain Controller Security Policy on each Domain Controller machine.
b. Choose Security Settings > Local Policies > Audit Policy.
c. Define the policy setting for the Audit Account login events policy (audit success). See screen shot below:
Make sure the WMI (Windows Management Instrumentation) Service is started on the AD Agent and the Domain Controllers and the firewall on both these units are either turned off or are allowing the following ports. The following list does not include the dynamically allocated (random) port numbers that are used by WMI.
1645, 1646, 1812, 1813 - udp
888 - tcp
3. Configure the AD Agent on the ASA
Gather the following information:
a. AD Agent IP address (AD Agent could be installed on the DC)
Here is the screen shot to configure it from the ASDM side:
Ping and AD-Agent test from the ASA and ping test from AD-Agent:
Test the connectivity between ASA and the adagent with the command "test aaa-server ad-agent adagent". This test will be successful only if the "name" that was used in "adacfg dc create -name KS-host kurelisankar -domain dc1.sample.com -user Administrator -password ww", in this case "KS" can be resolved to the DC's IP address. The netbios name KS here is case sentisive.
KUSANKAR-ASA-5505# ping KS.dc1.sample.com
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
KUSANKAR-ASA-5505# test aaa-server ad-agent adagent
Server IP Address or name: 192.168.2.2
INFO: Attempting Ad-agent test to IP address <192.168.2.2> (timeout: 12 seconds)
INFO: Ad-agent Successful
4. Configure Identity Options on the ASA
Configure user-identity config on the ASA. user-identity domain can be different from the e-mail domain of the company or the domain-name configured on the ASA. The domain name comes from the simple NETBIOS name of the Active Directory Domain. How to find the NETBIOS name of the AD domain? Very simple. Look at the screen shot below. NETBIOS name is case sensitive. If this is incorrect then the ASA will not make a query out on port 389 to get the users and groups from the AD Server.
AD Agent is unable to talk to the DC - ADObserver debug log shows ERROR: Failed to register
How to enable adobserver debug log:
In the AD-Agent computer under the folder IBF\adobserver there is a file named "logconfig.ini". We need to enable debug log in this file by changing LOG_NONE to LOG_DEBUG and restarting the AD Agent service.
Thu Jan 05 10:03:18 2012: DEBUG: Notifier thread started successfully
Thu Jan 05 10:03:18 2012: INFO: adding dc: prap with guid: 1325786574-4-436376122
Thu Jan 05 10:03:18 2012: EXCEPTION OCCURED: .\DcMonitor.cpp:373 getDcVersion: Error with ConnectServer for DC: dc name: praprama hostname: praprama domain: praprama1.DC.cisco.com username: Administrator password: <hidden> Error code: 80041064
Thu Jan 05 10:03:18 2012: .\DcMonitor.cpp:373 getDcVersion: Error with ConnectServer for DC: dc name: praprama hostname: praprama domain: praprama1.DC.cisco.com username: Administrator password: <hidden> Error code: 80041064
Thu Jan 05 10:03:18 2012: EXCEPTION OCCURED: .\DcMonitor.cpp:136 Could not find dc version (in addDc) for DC: dc name: praprama hostname: praprama domain: praprama1.DC.cisco.com username: Administrator password: <hidden>
Thu Jan 05 10:03:18 2012: ERROR: Failed to register DC: dc name: prap hostname: praprama domain: praprama1.DC.cisco.com username: Administrator password: <hidden>. Error returned: .\DcMonitor.cpp:136 Could not find dc version (in addDc) for DC: dc name: praprama hostname: praprama domain: praprama1.DC.cisco.com username: Administrator password: <hidden>. Will wait for next DC list update from configuration server
Checking the DC from the AD Agent box may show the following:
C:\IBF\CLI>adacfg dc list
Name Host/IP Username Domain-Name Latest Status
---- ------------ ------------- ----------- -------------
prap praprama Administrator down
Host name has to be the netbios case sensitive name. If that does not work then add the DC using it FQDN.