36-13
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter36 Configuring the Identity Firewall
Task Flow for Configuring the Identity Firewall
Configuring Active Directory Agents
Periodically or on-demand, the AD Agent monitors the Active Directory server security event log file
via WMI for user login and logoff events. The AD Agent maintains a cache of user ID and IP address
mappings. and notifies the ASA of changes.
Configure the primary and secondary AD Agents for the AD Agent Server Group. When the ASA detects
that the primary AD Agent is not responding and a secondary agent is specified, the ASA switches to
secondary AD Agent. The Active Directory server for the AD agent uses RADIUS as the communication
protocol; therefore, you should specify a key attribute for the shared secret between ASA and AD Agent.
Requirement
AD agent IP address
Shared secret between ASA and AD agent
To configure the AD Agents, perform the following steps:
What to Do Next
Configure access rules for the Identity Firewall. See Configuring Identity-based Access Rules, page 20.
Command Purpose
Step1 hostname(config)# aaa-server server-tag protocol
radius
Example:
hostname(config)# aaa-server adagent protocol radius
Creates the AAA server group and configures AAA
server parameters for the AD Agent.
Step1 hostname(config)# ad-agent-mode Enables the AD Agent mode.
Step2 hostname(config-aaa-server-group)# aaa-server
server-tag [(interface-name)] host {server-ip |
name} [key] [timeout seconds]
Example:
hostname(config-aaa-server-group)# aaa-server
adagent (inside) host 192.168.1.101
For the AD Agent, configures the AAA server as
part of a AAA server group and the AAA server
parameters that are host-specific.
Step3 hostname(config-aaa-server-host)# key key
Example:
hostname(config-aaa-server-host)# key mysecret
Specifies the server secret value used to authenticate
the ASA to the AD Agent server.
Step4 hostname(config-aaa-server-host)# user-identity
ad-agent aaa-server aaa_server_group_tag
Examples:
hostname(config-aaa-server-hostkey )# user-identity
ad-agent aaa-server adagent
Defines the server group of the AD Agent.
The first server defined in aaa_server_group_tag
variable is the primary AD Agent and the second
server defined is the secondary AD Agent.
The Identity Firewall supports defining only two
AD-Agent hosts.
When ASA detects the primary AD Agent is down
and a secondary agent is specified, it switches to
secondary AD Agent. The aaa-server for the AD
agent uses RADIUS as the communication protocol,
and should specify key attribute for the shared secret
between ASA and AD Agent.
Step5 hostname(config-aaa-server-host)# test aaa-server
ad-agent
Tests the communication between the ASA and the
AD Agent server.