13-2
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 13 Managing Identity-Aware Firewall Policies
Overview of Identity-Aware Firewall Policies
Identity-based firewall services enhance the existing access control and security policy mechanisms by
allowing users or groups to be specified as sources, and FQDNs in place of source or destination IP
addresses. Identity-based security policies can be interleaved without restriction between traditional IP
address based rules.
The key benefits of the Identity Firewall include:
Decoupling network topology from security policies. The rules will apply to a user regardless of
where the user connects in the network.
Simplifying the creation of security policies.
Providing the ability to easily identify user activities on network resources.
Simplify user activity monitoring.
This section contains the following topics:
User Identity Acquisition, page 13-2
Requirements for Identity-Aware Firewall Policies, page 13-3
Configuring the Firewall to Provide Identity-Aware Services, page 13-7
User Identity Acquisition
When you specify Active Directory user names or user group names in a firewall policy, the ASA
eventually needs to map the name to an IP address to process packets. The ASA uses two primary sources
for this information:
User group membership—If you specify a user group in a rule, the ASA contacts the configured
Active Directory (AD) server to obtain group membership.
User-to-IP address mappings—For users who log into the network domain on your standard
(non-VPN) network, the AD agent, in communication with the AD server, obtains the login
information and creates a user-to-IP address mapping table. This information is supplied to the ASA.
You must install and configure the required AD servers and agents before you can configure user-based
identity firewall policies. For an explanation of the various deployment scenarios, see the ASA
configuration guide for ASDM or CLI at
http://www.cisco.com/en/US/products/ps6120/products_installation_and_configuration_guides_list.ht
ml.
User names are acquired for the following types of traffic, and include the AD domain unless noted
otherwise:
Standard traffic.
Remote access VPN, including IPsec IKEv1 and IKEv2, AnyConnect clients, and L2TP VPN. If you
use LDAP authentication for the VPN, and use the same server group for a domain for the VPN and
identity firewall, the users are associated with the domain used for authentication. For all other
authorization mechanisms, users acquired through VPN are considered to be in the LOCAL domain.
The ASA reports these users to the AD agent, which distributes them to other ASAs or clients
registered with the AD agent.
Note User names are not acquired for clientless SSL VPN.