CHAPT ER
36-1
Cisco ASA 5500 Series Configuration Guide using the CLI
36
Configuring the Identity Firewall
This chapter describes how to configure the ASA for the Identity Firewall. The chapter includes the
following sections:
Information About the Identity Firewall, page1
Licensing for the Identity Firewall, page8
Guidelines and Limitations, page8
Prerequisites, page 9
Configuring the Identity Firewall, page10
Monitoring the Identity Firewall, page25
Feature History for the Identity Firewall, page28

Information About the Identity Firewall

This section includes the following topics:
Overview of the Identity Firewall, page1
Architecture for Identity Firewall Deployments, page2
Features of the Identity Firewall, page3
Deployment Scenarios, page 4
Cut-through Proxy and VPN Authentication, page7

Overview of the Identity Firewall

In an enterprise, users often need access to one or more server resources. Typically, a firewall is not
aware of the users’ identities and, therefore, cannot apply security policies based on identity. To
configure per-user access policies, you must configure a user authentication proxy, which requires user
interaction (a user name/password query).
The Identity Firewall in the ASA provides more granular access control based on users’ identities. You
can configure access rules and security policies based on user names and user groups name rather than
through source IP addresses. The ASA applies the security policies based on an association of IP
addresses to Windows Active Directory login information and reports events based on the mapped user
names instead of network IP addresses.