36-2
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter36 Configuring the Identity Firewall
Information About the Identity Firewall
The Identity Firewall integrates with Microsoft Active Directory in conjunction with an external Active
Directory (AD) Agent that provides the actual identity mapping. The ASA uses Windows Active
Directory as the source to retrieve the current user identity information for specific IP addresses and
allows transparent authentication for Active Directory users.
Identity-based firewall services enhance the existing access control and security policy mechanisms by
allowing users or groups to be specified in place of source IP addresses. Identity-based security policies
can be interleaved without restriction between traditional IP address based rules.
The key benefits of the Identity Firewall include:
Decoupling network topology from security policies
Simplifying the creation of security policies
Providing the ability to easily identify user activities on network resources
Simplify user activity monitoring
Architecture for Identity Firewall Deployments
The Identity Firewall integrates with Window Active Directory in conjunction with an external Active
Directory (AD) Agent that provides the actual identity mapping.
The identity firewall consists of three components:
ASA
Microsoft Active Directory
Though Active Directory is part of the Identity Firewall on the ASA, they are managed by Active
Directory administrators. The reliability and accuracy of the data depends on data in Active
Directory.
Supported versions include Windows Server 2003, Windows Server 2008, and Windows Server
2008 R2 servers.
Active Directory (AD) Agent
The AD Agent runs on a Windows server. Supported Windows servers include Windows 2003,
Windows 2008, and Windows 2008 R2.
Note Windows 2003 R2 is not supported for the AD Agent server.