Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Firewalls Community


Identity FW on ASA5515X, 5525X, 5545X


I`m preparing Testing environment with Identity option feature.

Currently I have tested this with 5505 and 5520 where Users authenticated in AD controller was able to pass rules on ASA  using AD-agent on WIN08.

Ma question is if this is supported on new models 5515X, 5525X and 5545X also with basic HW. Documentation saing that this feature is part of CX and SSD is needed to run it. Where SSD is supported from version 9.1.(1) but "Identity option" is supported from version 8.6.(1) where all features are inherited from 8.4(2)

I don`t wanna use CX feature and don`t wanna pay for SSD as its not cheap.

Have anyone experiances with this feature on new models?

THX Radek

Everyone's tags (8)
Hall of Fame Master

Identity FW on ASA5515X, 5525X, 5545X

The Identitiy firewall features are supported on all of the 55x5-X series whether or not they have the CX module.

CX adds additional functionality further leveraging identity.


Identity FW on ASA5515X, 5525X, 5545X


Thx for  quick answer!

Do you know what could be increase of hardware usage on AD controllers

and what would be needed  bandwidth and maximum delay on WAN as some AD controllers could be located in another country/location for CDA ?

Thanks for answer in advance!


Hall of Fame Master

Identity FW on ASA5515X, 5525X, 5545X

There should not be significant additional load on the AD domain controllers. Likewise the authentication traffic should not introduce significant bandwidth consumption. The packets are of minimal size.

The ASA is very patient about waiting for replies (12 second timeout) - you will more likely have users complaining before the system timeout causes authentication to fail.

Best practices for Active Directory deployment would have you establishing domain controllers at the site (or at least in the region) of your remote users so that the possibility of bandwidth and latency issues (and availability!) for all authentication functions (not just those needed by Identity Firewall) are minimized.


Identity FW on ASA5515X, 5525X, 5545X

We are not able to introduse CDA on all sites worldwide as ASA is not able to sopport more then one AD-agent (secound one is just standby)

users at first time would not pass FW as they would be inside network and authentication would be used to get "outside" so there should not be problem with user complaining i guess

I would be affraid about reliability as CDA has to suck info from remote AD and then pass to ASA (using WAN) mostly located on same remote location where there could be up to 40 locations worlwide

Have you ane experinces with this kind of solutiuon ?

Thanks for answer in adnavce!