36-22
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter36 Configuring the Identity Firewall
Task Flow for Configuring the Identity Firewall
Configuring Cut-through Proxy Authentication
In an enterprise, some users log onto the network by using other authentication mechanisms, such as
authenticating with a web portal (cut-through proxy) or by using a VPN. For example, users with a
Machintosh and Linux client might log in a web portal (cut-through proxy) or by using a VPN.
Therefore, you must configure the Identity Firewall to allow these types of authentication in connection
with identity-based access policies.
The ASA designates users logging in through a web portal (cut-through proxy) as belonging to the
Active Directory domain with which they authenticated. The ASA designates users logging in through
a VPN as belonging to the LOCAL domain unless the VPN is authenticated by LDAP with Active
Directory, then the Identity Firewall can associate the users with their Active Directory domain. The
ASA reports users logging in through VPN authentication or a web portal (cut-through proxy) to the AD
Agent, which distributes the user information to all registered ASA devices.
Users can log in by using HTTP/HTTPS, FTP, Telnet, or SSH. When users log in with these
authentication methods, the following guidelines apply:
For HTTP/HTTPS traffic, an authentication window appears for unauthenticated users.
For Telnet and FTP traffic, users must log in through the cut-through proxy and again to Telnet and
FTP server.
A user can specify an Active Directory domain while providing login credentials (in the format
domain\username). The ASA automatically selects the associated AAA server group for the
specified domain.
If a user specifies an Active Directory domain while providing login credentials (in the format
domain\username), the ASA parses the domain and uses it to select an authentication server from
the AAA servers configured for the Identity Firewall. Only the username is passed to the AAA
server.
Step5 hostname(config)# access-list access_list_name {deny
| permit} protocol [{user-group
[domain_name\\]user_group_name | user
{[domain_name\\]user_name | any | none} |
object-group-user object_group_user_name}] {any |
host sip | sip smask | interface name | object
src_object_name | object-group
network_object_group_name> [eq port | …]
{object-group-user dst_object_group_name | object
dst_object_name host dst_host_name | ip_address}
[object-group service_object_name | eq port | …]
Examples:
hostname(config)# access-list identity-list1 permit
ip user SAMPLE\user1 any any
hostname(config)# access-list aclname extended
permit ip user-group SAMPLE\\group.marketing any any
hostname(config)# access-list aclname extended
permit ip object-group-user asausers any any
Creates an access control entry that controls access
using user identity or group identity.
You can specify [domain_nickname>\]user_name
and [domain_nickname>\]user_group_name
directly without specifying them in an object-group
first.
See the access-list extended command in the Cisco
ASA 5500 Series Command Reference for a
complete description of the command syntax.
The keywords user-group any and user-group
none can be specified to support cut-through proxy
authentication. See Configuring Cut-through Proxy
Authentication, page22.
Step6 hostname(config)# access-group access-list global
Examples:
hostname(config)# access-group aclname global
Applies a single set of global rules to all interfaces
with the single command.
Command Purpose