13-21
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter1 3 Managing Identity-Aware Firewall Policies
Configuring Identity-Aware Firewall Policies
Selecting Identity Users in Policies
In any policy or policy object that allows the specification of identity users, whether directly or through
the selection of an identity user group object, you can click the Select button next to the User field to
help you enter the information.
In the Identity User Group Selector dialog box, you can define the content of the User field by populating
the Members in Group list. To populate the list, do any combination of the following:
In Available Identity User Group, select an existing object and click the Add >> button between
the lists. If the desired object does not exist, you can click the Add (+) button below the list to create
a new object. You can also select an object and click the Edit (pencil) button to modify it or to
examine its contents.
There are two pre-defined identity user groups. These groups are used when configuring cut-through
proxy, as described in Configuring Cut-Through Proxy, page 13-23.
all-auth-users—To match any IP address that has been associated with an authenticated user.
all-unauth-users—To match only IP addresses that have not been associated with authenticated
users.
In Search User/User Group, select a user or user group from the Active Directory server configured
for the domain in the Identity Settings administrative options. You must configure the settings before
you can select users or user groups, so that Security Manager knows which AD server to use.
To find a user or user group, select the NetBIOS domain, indicate whether you are searching for a
user or user group, and enter a search string. Then, click Search to find matches. A name is
considered a match if the string appears anywhere within the name (first, middle initial, last), user
ID, CN, or for groups, user group name.
To add the user or group, select it in the list and click the Add >> button between the lists.
In Type in comma separated identity user or user group, type in a valid name, then click the Add
>> button between the lists. Separate multiple names with commas; they are added as separate lines
in the members list.
You can enter names in the following formats:
Individual users: NETBIOS_DOMAIN\user
User groups (note the double \): NETBIOS_DOMAIN\\user_group
If you do not include the domain name, one is added for you based on the options selected in the
Security Manager Administration Identity Settings page as explained in Identity Settings Page,
page 11-26. If you precede the name with \ or \\, the default domain defined on the Identity Settings
page is automatically added.
To remove an item from the object, select it in the Members list and click the << Remove button
between the lists.
Configuring Identity-Based Firewall Rules
Identity awareness is integrated into the access control entries, or rules, in the ACLs used to provide
firewall services. Because the feature is integrated into the ACL, the techniques for adding
identity-based rules to a firewall policy are the same for all types of firewall policy. This topic provides
general guidance on how to incorporate identity-based rules into your existing policies, and directs you
to more specific information on configuring each type of policy that allows identity-based rules.