Cisco Systems CL-28826-01 User Identity Acquisition

13-2

User Guide for Cisco Security Manager 4.4

OL-28826-01

Chapter 13 Managing Identity-Aware Firewall Policies

Overview of Identity-Aware Firewall Policies

Identity-based firewall services enhance the existing access control and security policy mechanisms by

allowing users or groups to be specified as sources, and FQDNs in place of source or destination IP

addresses. Identity-based security policies can be interleaved without restriction between traditional IP

address based rules.

The key benefits of the Identity Firewall include:

•Decoupling network topology from security policies. The rules will apply to a user regardless of

where the user connects in the network.

•Simplifying the creation of security policies.

•Providing the ability to easily identify user activities on network resources.

•Simplify user activity monitoring.

This section contains the following topics:

•User Identity Acquisition, page 13-2

•Requirements for Identity-Aware Firewall Policies, page 13-3

•Configuring the Firewall to Provide Identity-Aware Services, page 13-7

User Identity Acquisition

When you specify Active Directory user names or user group names in a firewall policy, the ASA

eventually needs to map the name to an IP address to process packets. The ASA uses two primary sources

for this information:

•User group membership—If you specify a user group in a rule, the ASA contacts the configured

Active Directory (AD) server to obtain group membership.

•User-to-IP address mappings—For users who log into the network domain on your standard

(non-VPN) network, the AD agent, in communication with the AD server, obtains the login

information and creates a user-to-IP address mapping table. This information is supplied to the ASA.

You must install and configure the required AD servers and agents before you can configure user-based

identity firewall policies. For an explanation of the various deployment scenarios, see the ASA

configuration guide for ASDM or CLI at

http://www.cisco.com/en/US/products/ps6120/products_installation_and_configuration_guides_list.ht

ml.

User names are acquired for the following types of traffic, and include the AD domain unless noted

otherwise:

•Standard traffic.

•Remote access VPN, including IPsec IKEv1 and IKEv2, AnyConnect clients, and L2TP VPN. If you

use LDAP authentication for the VPN, and use the same server group for a domain for the VPN and

identity firewall, the users are associated with the domain used for authentication. For all other

authorization mechanisms, users acquired through VPN are considered to be in the LOCAL domain.

The ASA reports these users to the AD agent, which distributes them to other ASAs or clients

registered with the AD agent.

Note User names are not acquired for clientless SSL VPN.