36-10
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter36 Configuring the Identity Firewall
Configuring the Identity Firewall
Note Before running the AD Agent Installer, you must install the following patches on every Microsoft Active
Directory server that the AD Agent monitors. These patches are required even when the AD Agent is
installed directly on the domain controller server. See the README First for the Cisco Active Directory
Agent.
Configuring the Identity Firewall
This section contains the following topics:
Task Flow for Configuring the Identity Firewall, page10
Configuring the Active Directory Domain, page11
Configuring Active Directory Agents, page13
Configuring Identity Options, page14
Configuring Identity-based Access Rules, page20
Configuring Cut-through Proxy Authentication, page22
Configuring VPN Authentication, page24
Task Flow for Configuring the Identity Firewall
Prerequisite
Before configuring the Identity Firewall in the ASA, you must meet the prerequisites for the AD Agent
and Microsoft Active Directory. See Prerequisites, page9 for information.
Task Flow in the ASA
To configure the Identity Firewall, perform the following tasks:
Step1 Configure the Active Directory domain in the ASA.
See Configuring the Active Directory Domain, page11.
See also Deployment Scenarios, page4 for the ways in which you can deploy the Active Directory
servers to meet your environment requirements.
Step2 Configure the AD Agent in ASA.
See Configuring Active Directory Agents, page 13.
See also Deployment Scenarios, page4 for the ways in which you can deploy the AD Agents to meet
your environment requirements.
Step3 Configure Identity Options.
See Configuring Identity Options, page14.
Step4 Configure Identity-based Access Rules in the ASA.
After AD domain and AD-Agent are configured, identity-based rules can be specified to enforce
identity-based rules. See Configuring Identity-based Access Rules, page20.
Step5 Configure the cut-through proxy.