13-10
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 13 Managing Identity-Aware Firewall Policies
Configuring Identity-Aware Firewall Policies
Tip You can use the wizard multiple times to configure different NetBIOS domains. However, the
wizard always prompts for AD agent information. Because you can configure a single group for
AD agents, not a separate group per domain, the selection overwrites any AD agent
configuration that you have already made. So be sure to select the same AAA server group for
the AD agents each time you run the wizard.
Step 3 If not using the wizard, configure the AD servers. The AD servers are used for obtaining user
membership information for any AD user groups that you use in identity-aware firewall policies.
The table lists the AD servers for the network. You need to add an entry for each NetBIOS domain name.
Each row defines the AAA server group used to identify the AD LDAP servers for the domain, and
whether identity-aware firewall rules for the domain are active or inactive if the AD server group is
unavailable.
You can do the following:
To add an entry, click the Add Row (+) button and fill in the Add AD Domain Server dialog box.
See Domain AD Server Dialog Box, page 13-10.
To edit an entry, select it and click the Edit Row (pencil) button.
To delete an entry, select it and click the Delete Row (trash can) button.
Step 4 If not using the wizard, configure the AD agents. The AD agents obtain user login/logoff and IP address
mappings from the AD servers. The ASA then obtains the information from the AD agent.
In Active Directory Agent Group, enter the name of the AAA server group object that defines the list
of AD agents, or click Select to select it from a list or to create a new group object.
Step 5 In Default Domain, select the domain to configure as the default domain on the device. You must add
the domain to the AD server table before you can select it as the default domain.
The default is LOCAL, which applies to user groups defined on the device or to VPN users who
authenticate using a method other than an AD server configured for identity services. This setting is also
used if you configure cut-through proxy (see Configuring Cut-Through Proxy, page 13-23).
Step 6 Click Save to save your changes.
You are asked if the identity settings page in the administrative settings should be updated with the
domain-to-AD server mappings. The identity settings determine which servers are used when you use
the Find feature when specifying users or user groups in a firewall policy or an identity user group object.
The identity administrative settings do not affect the configuration of the ASA.
Domain AD Server Dialog Box
Use the Add or Edit Domain AD Server dialog box to define the Active Directory server group for a
NetBIOS domain. If you configure firewall rules for a user group in the NetBIOS domain, the user
membership is determined by querying the AD servers defined for the domain.
Navigation Path
Do one of the following:
From the AD Setup tab of the Identity Options page, click the Add or Edit buttons for the domain
table. See Identifying Active Directory Servers and Agents, page13-8.