Looking at implementing IDFW by vpn authentication, http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/access_idfw.html#wp1372180,
The ASA reports users logging in through VPN authentication or a web portal (cut-through proxy) to the AD Agent, which distributes the user information to all registered ASA devices. Specifically, the user identity-IP address mappings of authenticated users are forwarded to all ASA contexts that contain the input interface where packets are received and authenticated.
What I want to do is create identity aware access rules.
Lets suppose a user authenticate through vpn ASA firewall by ldap on AD. Vpn ASA firewall reports identity-IP address mappings to AD agent. AD agent reports identity-IP address mappings to all the other firewalls. Then I can create identity aware access rules on all the other firewalls ? Is it so easy or am I missing something ?
We have remote VPN connections authenticated via RADIUS from ASA and ASA does not recognize this users as Active in the Identity options.
Is the difference of having them authenticate using a RADIUS server to our Active Directory? Or is it that in order to be able to apply identity options to VPN users something else has to be done?
I don't find any clear information about this.
I think Cisco agent just have to get a user AD domain logon event. Ldap logon auth through vpn or cut-through proxy yes (or SSO of course if it is a domain workstation) but not sure about radius auth (don't think so).
Another thing to be aware of is remote VPN access. When you remote VPN on, you get authenticated to the firewall. This could be via local ASA accounts, Radius, TACACS, ACS, LDAP etc. If you use AAA LDAP authentication (using Active Directory in this case), you are not logging on to the domain as you VPN in, you are simply saying ‘here are my AD credentials, please authenticate me on the firewall’. At that point, one of two things happens with the Identity Firewall. If you are using a domain computer to remote on, that machine will automatically try to make contact with a DC. When it finds one (over the VPN), it will log on to the domain, create a security log and the AD agent will let the ASA know. Any rules assigned to that user, that don’t filter on source IP, will now come in to effect. However, if the machine is not joined to the domain, there will be no logon event (the username\password given at connection was only for VPN authentication), and so any user-identity ACLs will not apply.
..and actually on DC security events there are no logon events for machine not joined to the domain.