36-4
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter36 Configuring the Identity Firewall
Information About the Identity Firewall
Supports the combination of 5-tuple policies with ID-based policies. The identity-based feature
works in tandem with existing 5-tuple solution.
Supports usage with IPS and Application Inspection policies.
Retrieves user identity information from remote access VPN, AnyConnect VPN, L2TP VPN and
cut-through proxy. All retrieved users are populated to all ASA devices connected to the AD Agent.
Scalability
Each AD Agent supports 100 ASA devices. Multiple ASA devices are able to communicate with a
single AD Agent to provide scalability in larger network deployments.
Supports 30 Active Directory servers provided the IP address is unique among all domains.
Each user identity in a domain can have up to 8 IP addresses.
Supports up to 64,000 user identity-IP address mappings in active ASA policies for ASA 5500
Series models. This limit controls the maximum users who have policies applied. The total users are
the aggregated users configured on all different contexts.
Supports up to 1024 user identity-IP address mappings in active ASA policies for the ASA 5505.
Supports up to 256 user groups in active ASA policies.
A single rule can contain one or more user groups or users.
Supports multiple domains.
Availability
The ASA retrieves group information from Active Directory and falls back to web authentication
for IP addresses that the AD Agent cannot map a source IP address to a user identity.
The AD Agent continues to function when any of the Active Directory servers or the ASA are not
responding.
Supports configuring a primary AD Agent and a secondary AD Agent on the ASA. If the primary
AD Agent stops responding, the ASA can switch to the secondary AD Agent.
If the AD Agent is unavailable, the ASA can fall back to existing identity sources such as cut through
proxy and VPN authentication.
The AD Agent runs a watchdog process that automatically restarts its services when they are down.
Allows a distributed IP address/user mapping database among ASA devices.
Deployment Scenarios
You can deploy the components of the Identity Firewall in the following ways depending on your
environmental requirement.
As shown in Figure 36-2, you can deploy the components of the Identity Firewall to allow for
redundancy. Scenario 1 shows a simple installation without component redundancy.
Scenario 2 also shows a simple installation without redundancy. However, in that deployment scenario,
the Active Directory server and AD Agent are co-located on one Windows server.