36-18
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter36 Configuring the Identity Firewall
Task Flow for Configuring the Identity Firewall
Step8 hostname(config)# user-identity action
domain-controller-down domain_nickname
disable-user-identity-rule
Example:
hostname(config)# user-identity action
domain-controller-down SAMPLE
disable-user-identity-rule
Specifies the action when the domain is down
because Active Directory domain controller is not
responding.
When the domain is down and the
disable-user-identity-rule keyword is configured,
the ASA disables the user identity-IP address
mappings for that domain. Additionally, the status of
all user IP addresses in that domain are marked as
disabled in the output displayed by the show
user-identity user command.
By default, this command is disabled.
Step9 hostname(config)# user-identity user-not-found
enable
Enables user-not-found tracking. Only the last 1024
IP addresses tracked.
By default, this command is disabled.
Step10 hostname(config)# user-identity action ad-agent-down
disable-user-identity-rule
Specifies the action when the AD Agent is not
responding.
When the AD Agent is down and the user-identity
action ad-agent-down is configured, the ASA
disables the user identity rules associated with the
users in that domain. Additionally, the status of all
user IP addresses in that domain are marked as
disabled in the output displayed by the show
user-identity user command.
By default, this command is disabled.
Step11 hostname(config)# user-identity action
mac-address-mismatch remove-user-ip
Specifies the action when a user's MAC address is
found to be inconsistent with the ASA device IP
address currently mapped to that MAC address.
When the user-identity action
mac-address-mismatch command is configured,
the ASA removes the user identity-IP address
mapping for that client.
By default, the ASA uses the remove-user-ip
keyword when this command is specified.
Command Purpose