36-17
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter36 Configuring the Identity Firewall
Task Flow for Configuring the Identity Firewall
Step5 hostname(config)# user-identity inactive-user-timer
minutes minutes
Example:
hostname(config)# user-identity inactive-user-timer
minutes 120
Specifies the amount of time before a user is
considered idle, meaning the ASA has not received
traffic from the user's IP address for specified
amount of time.
When the timer expires, the user's IP address is
marked as inactive and removed from the local
cached user identity-IP address mappings database
and the ASA no longer notifies the AD Agent about
that IP address removal. Existing traffic is still
allowed to pass. When this command is specified,
the ASA runs an inactive timer even when the
NetBIOS Logout Probe is configured.
By default, the idle timeout is set to 60 minutes.
Note The Idle Timeout option does not apply to
VPN or cut through proxy users.
Step6 hostname(config)# user-identity
poll-import-user-group-timer hours hours
Example:
hostname(config)# user-identity
poll-import-user-group-timer hours 1
Specifies the amount of time before the ASA queries
the Active Directory server for user group
information.
If a user is added to or deleted from to an Active
Directory group, the ASA received the updated user
group after import group timer runs.
By default, the poll-import-user-group-timer is 8
hours.
To immediately update user group information,
enter the following command:
user-identity update import-user
See the CLI configuration guide
Step7 hostname(config)# user-identity action
netbios-response-fail remove-user-ip
Specifies the action when a client does not respond
to a NetBIOS probe. For example, the network
connection might be blocked to that client or the
client is not active.
When the user-identity action remove-user-ip is
configured, the ASA removed the user identity-IP
address mapping for that client.
By default, this command is disabled.
Command Purpose