13-19
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter1 3 Managing Identity-Aware Firewall Policies
Configuring Identity-Aware Firewall Policies
Creating Identity User Group Objects
You can create identity user group objects to identify individual users, user groups, or a combination of
users and groups. These users and groups must be defined in Active Directory (AD), you cannot define
other types of users.
Tip Identity user groups are defined on the ASA. You do not need to create these groups to duplicate groups
that are already defined in AD. You can directly specify AD groups in firewall rules. Identity user group
objects are needed only to define collections of users and user groups that do not otherwise exist in AD.
There are two pre-defined identity user groups. These groups are used when configuring cut-through
proxy, as described in Configuring Cut-Through Proxy, page 13-23.
all-auth-users—To match any IP address that has been associated with an authenticated user.
all-unauth-users—To match only IP addresses that have not been associated with authenticated
users.
Tips
Use of these objects is supported on ASA 8.4(2+) only.
You must configure the Identity Options policy on the ASA to enable the use of these objects.
You can create identity user group objects when defining policies or objects that use this object type.
For more information, see Selecting Identity Users in Policies, page 13-21.
Related Topics
Configuring Identity-Based Firewall Rules, page13-21
Retrieve User Information How the ASA should retrieve user-to-IP address mappings from the AD
agent.
Full Download (default for ASA non-5505 devices)—On boot, the
ASA obtains the full user-to-IP address mapping database from the
AD agent, and then gets incremental updates as users log into and
out of the network.
Use this option on the 5505 only if there are fewer than 1024 users
in the network, because the 5505 is limited to 1024 user-to-IP
mappings. For the 5505, the default On Demand setting is
appropriate if only a few users will pass traffic through the device.
On Demand (default for ASA 5505 devices)—The ASA queries
the AD agent for user-to-IP mappings only when a new packet
requires a connection and no mapping exists. This option uses less
memory, but there can be a delay in getting the mapping, and the
packets are initially evaluated based on traditional source and
destination IP address and service information, which might result
in the wrong action. The potential delay can be increased if a large
number of users log in at the same time, either due to corporate
culture or to a malicious attack.
Table13-5 Identity Options Advanced Tab (Continued)
Element Description