36-19
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter36 Configuring the Identity Firewall
Task Flow for Configuring the Identity Firewall
What to Do Next
Configure the Active Directory domain and server groups. See Configuring the Active Directory
Domain, page 11.
Configure AD Agents. See Configuring Active Directory Agents, page 13.
Step12 hostname(config)# user-identity ad-agent
active-user-database {on-demand|full-download}
Example:
hostname(config)# user-identity ad-agent
active-user-database full-download
Defines how the ASA retrieves the user identity-IP
address mapping information from the AD Agent:
full-download—Specifies that the ASA send a
request to the AD Agent to download the entire
IP-user mapping table when the ASA starts and
then to receive incremental IP-user mapping
when users log in and log out.
on-demand—Specifies that the ASA retrieve
the user mapping information of an IP address
from the AD Agent when the ASA receives a
packet that requires a new connection and the
user of its source IP address is not in the
user-identity database.
By default, the ASA 5505, uses the on-demand
option. The other ASA platforms use the
full-download option.
Full downloads are event driven, meaning that
subsequent requests to download the database, send
just the updates to the user identity-IP address
mapping database.
When the ASA registers a change request with the
AD Agent, the AD Agent sends a new event to the
ASA.
Step13 hostname(config)# user-identity ad-agent hello-timer
seconds seconds retry-times number
Example:
hostname(config)# user-identity ad-agent hello-timer
seconds 20 retry-times 3
Defines the hello timer between the ASA and the AD
Agent.
The hello timer between the ASA and the AD Agent
defines how frequently the ASA exchanges hello
packets. The ASA uses the hello packet to obtain
ASA replication status (in-sync or out-of-sync) and
domain status (up or down). If the ASA does not
receive a response from the AD Agent, it resends a
hello packet after the specified interval.
By default, the hello timer is set to 30 seconds and 5
retries.
Step14 hostname(config)# user-identity ad-agent aaa-server
aaa_server_group_tag
Example:
hostname(config)# user-identity ad-agent aaa-server
adagent
Defines the server group of the AD Agent.
For aaa_server_group_tag, enter the value defined
by the aaa-server command.
Command Purpose