39-17
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter39 Configuring the Identity Firewall
Task Flow for Configuring the Identity Firewall
The default domain is used for all users and user groups when a domain has not been explicitly
configured for those users or groups. When a default domain is not specified, the default domain for
users and groups is LOCAL.
Additionally, the Identity Firewall uses the LOCAL domain for all locally defined user groups or locally
defined users (users who log in and authenticate by using a VPN or web portal).
Note The default domain name you select must match the NetBIOS domain name configured on the
Active Directory domain controller. If the domain name does not match, the AD Agent will
incorrectly associate the user-IP mappings with the domain name you enter when configuring
the ASA.
To view the NetBIOS domain name, open the Active Directory user event security log in any text
editor.
For multiple context modes, you can set a default domain name for each context, as well as within the
system execution space.
Step6 In the Active Directory Agent section, select the AD Agent group from the drop-down list. To add AD
Agent groups, click Manage. See Configuring Active Directory Agents, page14.
Step7 In the Hello Timer field, enter a number between 10 to 65535 seconds.
The hello timer between the ASA and the AD Agent defines how frequently the ASA exchanges hello
packets. The ASA uses the hello packet to obtain ASA replication status (in-sync or out-of-sync) and
domain status (up or down). If the ASA does not receive a response from the AD Agent, it resends a hello
packet after the specified interval.
Specify the number of times that the ASA will continue to send hello packets to the AD Agent. By
default, the number of seconds is set to 30 and the retry times is set to 5.
Step8 In the Poll Group Timer field, enter the number of hours that the ASA uses to query the DNS server to
resolve fully-qualified domain names (FQDN). By default, the poll timer is set to 4 hours.
Step9 In the Retrieve User Information, select an option from the list:
On Demand—specifies that the ASA retrieve the user mapping information of an IP address from
the AD Agent when the ASA receives a packet that requires a new connection and the user of its
source IP address is not in the user-identity database.
Full Download—specifies that the ASA send a request to the AD Agent to download the entire
IP-user mapping table when the ASA starts and then to receive incremental IP-user mapping when
users log in and log out.
Note Selecting On Demand has the benefit of using less memory as only users of received packets are
queried and stored.
Step10 In the Error Conditions section, select whether to disable rules in the AD Agent is not responding.
When the AD Agent is down and this option is selected, the ASA disables the user identity rules
associated with the users in that domain. Additionally, the status of all user IP addresses in that domain
are marked as disabled in Monitoring > Properties > Identity > Users pane.
Step11 In the Error Conditions section, select whether to remove a user’s IP address when the NetBIOS probe
fails.