Cisco Systems CL-28826-01 Domain AD Server Dialog Box

13-10

User Guide for Cisco Security Manager 4.4

OL-28826-01

Chapter 13 Managing Identity-Aware Firewall Policies

Configuring Identity-Aware Firewall Policies

Tip You can use the wizard multiple times to configure different NetBIOS domains. However, the

wizard always prompts for AD agent information. Because you can configure a single group for

AD agents, not a separate group per domain, the selection overwrites any AD agent

configuration that you have already made. So be sure to select the same AAA server group for

the AD agents each time you run the wizard.

Step 3 If not using the wizard, configure the AD servers. The AD servers are used for obtaining user

membership information for any AD user groups that you use in identity-aware firewall policies.

The table lists the AD servers for the network. You need to add an entry for each NetBIOS domain name.

Each row defines the AAA server group used to identify the AD LDAP servers for the domain, and

whether identity-aware firewall rules for the domain are active or inactive if the AD server group is

unavailable.

You can do the following:

•To add an entry, click the Add Row (+) button and fill in the Add AD Domain Server dialog box.

See Domain AD Server Dialog Box, page 13-10.

•To edit an entry, select it and click the Edit Row (pencil) button.

•To delete an entry, select it and click the Delete Row (trash can) button.

Step 4 If not using the wizard, configure the AD agents. The AD agents obtain user login/logoff and IP address

mappings from the AD servers. The ASA then obtains the information from the AD agent.

In Active Directory Agent Group, enter the name of the AAA server group object that defines the list

of AD agents, or click Select to select it from a list or to create a new group object.

Step 5 In Default Domain, select the domain to configure as the default domain on the device. You must add

the domain to the AD server table before you can select it as the default domain.

The default is LOCAL, which applies to user groups defined on the device or to VPN users who

authenticate using a method other than an AD server configured for identity services. This setting is also

used if you configure cut-through proxy (see Configuring Cut-Through Proxy, page 13-23).

Step 6 Click Save to save your changes.

You are asked if the identity settings page in the administrative settings should be updated with the

domain-to-AD server mappings. The identity settings determine which servers are used when you use

the Find feature when specifying users or user groups in a firewall policy or an identity user group object.

The identity administrative settings do not affect the configuration of the ASA.

Domain AD Server Dialog Box

Use the Add or Edit Domain AD Server dialog box to define the Active Directory server group for a

NetBIOS domain. If you configure firewall rules for a user group in the NetBIOS domain, the user

membership is determined by querying the AD servers defined for the domain.

Navigation Path

Do one of the following:

•From the AD Setup tab of the Identity Options page, click the Add or Edit buttons for the domain

table. See Identifying Active Directory Servers and Agents, page13-8.