36-7
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter36 Configuring the Identity Firewall
Information About the Identity Firewall
Figure36-7 WAN-based Deployment with Remote AD Agent and AD Servers
Cut-through Proxy and VPN Authentication
In an enterprise, some users log onto the network by using other authentication mechanisms, such as
authenticating with a web portal (cut-through proxy) or by using a VPN. For example, users with a
Machintosh and Linux client might log in a web portal (cut-through proxy) or by using a VPN.
Therefore, you must configure the Identity Firewall to allow these types of authentication in connection
with identity-based access policies.
Figure 36-8 shows a deployment to support a cut-through proxy authentication captive portal. Active
Directory servers and the AD Agent are installed on the main site LAN. However, the Identity Firewall
is configured to support authentication of clients that are not part of the Active Directory domain.
Figure36-8 Deployment Supporting Cut-through Proxy Authentication
The ASA designates users logging in through a web portal (cut-through proxy) as belonging to the
Active Directory domain with which they authenticated.
The ASA designates users logging in through a VPN as belonging to the LOCAL domain unless the VPN
is authenticated by LDAP with Active Directory, then the Identity Firewall can associate the users with
their Active Directory domain.
The ASA reports users logging in through VPN authentication or a web portal (cut-through proxy) to the
AD Agent, which distributes the user information to all registered ASA devices. Specifically, the user
identity-IP address mappings of authenticated users are forwarded to all ASA contexts that contain the
input interface where packets are received and authenticated.
See Configuring Cut-through Proxy Authentication, page22.
Enterprise Main Site
xxxxxx
ASA
AD Servers
mktg.sample.com
10.1.1.2
RADIUS
Client
Remote Site
Directory
Sync
AD
Agent
AD Agent
WMI
AD Servers
WAN
LDAP
Inside Enterprise
xxxxxx
ASA
AD Servers
AD Agent
mktg.sample.com
10.1.1.2
WMI
LDAP
RADIUS
AD
Agent
WAN / LAN
HTTP/HTTPS
Windows Clients
(Domain Members)
Non-domain Member
Clients