https://community.cisco.com/t5/network-security/difference-between-quot-user-identity-domain-quot-amp-quot-user/m-p/4042149#M1067497 <P>Hi,</P><P>&nbsp;</P><P>&nbsp; &nbsp; When you define a "user-identity-domain" you link it to a pre-defined AAA LDAP servers, and this feature is used for user-group mapping polling:</P><P>&nbsp;</P><P>aaa-server FIRST_DOMAIN protocol ldap</P><P>aaa-server (INSIDE) FIRST_DOMAIN host 10.10.10.10</P><P>&nbsp; ldap-base-dn dc=colocvium,dc=com</P><P>&nbsp;!</P><P>aaa-server SECOND_DOMAIN protocol ldap</P><P>aaa-server (INSIDE) SECOND_DOMAIN host 20.20.20.20</P><P>&nbsp;ldap-base-dn dc=cisco,dc=com</P><P>!</P><P>&nbsp; When you configure the identity-based rules in your ACL, if you fail/forget to specify also the domain name for the user, it will pick up the configured domain from "user-identity default-domain", which by default is LOCAL (meaning the LOCAL user database); this is the scope of this command. If you want to change it from the default of "LOCAL" to something custom, it needs to be one of the domain previously configured via the aaa-server protocol ldap commands, otherwise it gives an error, which makes sense.</P><P>&nbsp;</P><P>Regards,</P><P>Cristian Matei.</P><P>&nbsp; &nbsp;</P> Sat, 07 Mar 2020 12:12:52 GMT Cristian Matei 2020-03-07T12:12:52Z https://community.cisco.com/t5/network-security/difference-between-quot-user-identity-domain-quot-amp-quot-user/m-p/4042073#M1067486 <P>Hi Experts,</P><P>ASA configuration guide lists both "user-identity domain" and "user-identity default-domain" in relations to a single identity-firewall configuration, often with same "nickname" and "NETBIOS_name" respectively, (IMO) without clarifying the specifics of each commands.</P><P>What does each command do, and are they independent of each other?</P><P>R's, Alex</P> Sat, 07 Mar 2020 04:46:08 GMT https://community.cisco.com/t5/network-security/difference-between-quot-user-identity-domain-quot-amp-quot-user/m-p/4042073#M1067486 AlexFer 2020-03-07T04:46:08Z https://community.cisco.com/t5/network-security/difference-between-quot-user-identity-domain-quot-amp-quot-user/m-p/4042149#M1067497 <P>Hi,</P><P>&nbsp;</P><P>&nbsp; &nbsp; When you define a "user-identity-domain" you link it to a pre-defined AAA LDAP servers, and this feature is used for user-group mapping polling:</P><P>&nbsp;</P><P>aaa-server FIRST_DOMAIN protocol ldap</P><P>aaa-server (INSIDE) FIRST_DOMAIN host 10.10.10.10</P><P>&nbsp; ldap-base-dn dc=colocvium,dc=com</P><P>&nbsp;!</P><P>aaa-server SECOND_DOMAIN protocol ldap</P><P>aaa-server (INSIDE) SECOND_DOMAIN host 20.20.20.20</P><P>&nbsp;ldap-base-dn dc=cisco,dc=com</P><P>!</P><P>&nbsp; When you configure the identity-based rules in your ACL, if you fail/forget to specify also the domain name for the user, it will pick up the configured domain from "user-identity default-domain", which by default is LOCAL (meaning the LOCAL user database); this is the scope of this command. If you want to change it from the default of "LOCAL" to something custom, it needs to be one of the domain previously configured via the aaa-server protocol ldap commands, otherwise it gives an error, which makes sense.</P><P>&nbsp;</P><P>Regards,</P><P>Cristian Matei.</P><P>&nbsp; &nbsp;</P> Sat, 07 Mar 2020 12:12:52 GMT https://community.cisco.com/t5/network-security/difference-between-quot-user-identity-domain-quot-amp-quot-user/m-p/4042149#M1067497 Cristian Matei 2020-03-07T12:12:52Z