08-01-2014 05:03 PM - edited 03-11-2019 09:34 PM
Looking at implementing IDFW by vpn authentication, http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/access_idfw.html#wp1372180,
The ASA reports users logging in through VPN authentication or a web portal (cut-through proxy) to the AD Agent, which distributes the user information to all registered ASA devices. Specifically, the user identity-IP address mappings of authenticated users are forwarded to all ASA contexts that contain the input interface where packets are received and authenticated.
What I want to do is create identity aware access rules.
Lets suppose a user authenticate through vpn ASA firewall by ldap on AD. Vpn ASA firewall reports identity-IP address mappings to AD agent. AD agent reports identity-IP address mappings to all the other firewalls. Then I can create identity aware access rules on all the other firewalls ? Is it so easy or am I missing something ?
08-10-2014 05:31 AM
none has tried it ?
09-05-2014 04:00 AM
We have remote VPN connections authenticated via RADIUS from ASA and ASA does not recognize this users as Active in the Identity options.
Is the difference of having them authenticate using a RADIUS server to our Active Directory? Or is it that in order to be able to apply identity options to VPN users something else has to be done?
I don't find any clear information about this.
09-05-2014 01:18 PM
I think Cisco agent just have to get a user AD domain logon event. Ldap logon auth through vpn or cut-through proxy yes (or SSO of course if it is a domain workstation) but not sure about radius auth (don't think so).
10-31-2014 02:29 AM
See http://vegaskid.net/2012/09/cisco-asa-identity-firewall/ ..
Another thing to be aware of is remote VPN access. When you remote VPN on, you get authenticated to the firewall. This could be via local ASA accounts, Radius, TACACS, ACS, LDAP etc. If you use AAA LDAP authentication (using Active Directory in this case), you are not logging on to the domain as you VPN in, you are simply saying ‘here are my AD credentials, please authenticate me on the firewall’. At that point, one of two things happens with the Identity Firewall. If you are using a domain computer to remote on, that machine will automatically try to make contact with a DC. When it finds one (over the VPN), it will log on to the domain, create a security log and the AD agent will let the ASA know. Any rules assigned to that user, that don’t filter on source IP, will now come in to effect. However, if the machine is not joined to the domain, there will be no logon event (the username\password given at connection was only for VPN authentication), and so any user-identity ACLs will not apply.
..and actually on DC security events there are no logon events for machine not joined to the domain.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide