13-3
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter1 3 Managing Identity-Aware Firewall Policies
Overview of Identity-Aware Firewall Policies
IPv4 cut-through proxy. User names are not acquired for IPv6 cut-through proxy. If the user includes
the domain name during authentication, the user is associated with the domain name. Otherwise, the
domain is the default domain as configured in the Identity Options policy. See Configuring
Cut-Through Proxy, page 13-23.
Requirements for Identity-Aware Firewall Policies
Identity-aware firewall policies are not supported by all types of device and operating systems. The
following table explains the requirements and some limits for implementing these types of policies in
your network.
Table13-1 Requirements for Identity-Aware Firewall Policies
Requirement Description
Firewall device ASA running ASA Software version 8.4(2) or higher, but not including
the ASA-SM running 8.5(1). Single or multiple context configurations.
Tip The ASA must have on-board encryption acceleration. To
determine if the device has the required ability, log into the
device console and use the show version command. The output
should include “Encryption hardware device.”
You can register up to 100 ASAs with a single Active Directory agent.
Active Directory (AD) You must use Active Directory to define users and user groups. The
ASA obtains user group information directly from the AD server,
which runs the LDAP protocol. You cannot use other types of LDAP
servers.
For detailed information on the types of AD servers supported, and
their configuration requirements, see Installation and Setup Guide for
the Active Directory Agent on Cisco.com at
http://www.cisco.com/en/US/products/ps6120/prod_installation_guide
s_list.html.
Tip You can have multiple AD servers, but they must have unique
IP addresses among all domains. No other type of LDAP server
is supported.