36-23
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter36 Configuring the Identity Firewall
Task Flow for Configuring the Identity Firewall
If the backslash (\) delimiter is not found in the log in credentials, the ASA does not parse a domain
and authentication is conducted with the AAA server that corresponds to default domain configured
for the Identity Firewall.
If a default domain or a server group is not configured for that default domain, the ASA rejects the
authentication.
If the domain is not specified, the ASA selects the AAA server group for the default domain that is
configured for the Identity Firewall.
Detailed Steps
To configure the cut-through proxy for the Identity Firewall, perform the following steps:
Examples
Example 1
This example shows a typical cut-through proxy configuration to allow a user to log in through the ASA.
In this example, the following conditions apply:
Command Purpose
Step1 hostname(config)# access-list access_list_name
extended permit tcp any user_ip_address
255.255.255.255 eq http
hostname(config)# access-list access_list_name
extended permit tcp any user_ip_address
255.255.255.255 eq https
Examples:
hostname(config)# access-list listenerAuth extended
permit tcp any any
Creates an access list that permits traffic from the
users client that uses the HTTP or HTTPS protocol.
Step2 hostname(config)# aaa authentication listener http
inside port port
Examples:
hostname(config)# aaa authentication listener http
inside port 8888
Enables HTTP(S) listening ports to authenticate the
user.
Step3 hostname(config)# access-list access_list_name {deny
| permit} protocol [{user-group
[domain_name\\]user_group_name | user
{[domain_name\\]user_name | any | none} |
object-group-user object_group_user_name}] {any |
host sip | sip smask | interface name | object
src_object_name | object-group
network_object_group_name> [eq port | …]
{object-group-user dst_object_group_name | object
dst_object_name host dst_host_name | ip_address}
[object-group service_object_name | eq port | …]
Examples:
hostname(config)# access-list 100 ex deny ip user
CISCO\abc any any
hostname(config)# access-list 100 ex permit ip user
NONE any any
Creates an access control entry that controls access
using user identity or group identity.
See the access-list extended command in the Cisco
ASA 5500 Series Command Reference for a
complete description of the command syntax.
The keywords user-group any and user-group
none can be specified to support cut-through proxy
authentication.
any—The access list matches any IP addresses
that has already been associated with any users.
none—The access list matches any IP addresses
that has not been associated with any IP address.
Step4 hostname(config)# aaa authenticate match
access_list_name inside user-identity
Examples:
aaa authenticate match listenerAuth inside
user-identity
Enables authentication for connections through the
ASA and matches it to the Identity Firewall feature.