Solved: ASA "AD Integration" - where to start

PAUL TRIVINO · ‎12-18-2014

I have been tasked with getting so that our ASA rules have visibility to what user is hitting a rule (not necessarily to enforce rules that way, yet). I am not sure where to even start this process.

I see the "Identity Options" policiy in CSM, which I am guessing is where to configure this, but I have no idea of the overall process. Anyone have a suggestion as to where to start, and/or if there is an overview document somewhere?

Karsten Iwen · ‎12-18-2014

The identity firewall is pretty good documented in the config-guide:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91_general_config/aaa_idfw.html

You need the CDA for the Identity-firewall:

http://www.cisco.com/c/en/us/td/docs/security/ibf/cda_10/Install_Config_guide/cda10.html

View solution in original post

Karsten Iwen · ‎12-18-2014

The identity firewall is pretty good documented in the config-guide:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91_general_config/aaa_idfw.html

You need the CDA for the Identity-firewall:

http://www.cisco.com/c/en/us/td/docs/security/ibf/cda_10/Install_Config_guide/cda10.html

PAUL TRIVINO · ‎12-18-2014

Karsten, thanks. Those look like good links (they *work*, for sure...;^) and will be useful. I'll come back and mark this Correct as soon as I read them.

Thanks again.

PAUL TRIVINO · ‎12-19-2014

Karsten, one thing we'll want is to test first, of course - do you happen to know if I can then specify "Any" for User/Group in a rule, and have the UserID and/or Group be in the log messages?

Thanks again.

Karsten Iwen · ‎12-19-2014

"any" user or group is the default for all ACEs. When you configure the identity-firewall you don't need to change your rules directly. If the ASA knows the user-mapping, it will show this in the logs.

PAUL TRIVINO · ‎12-19-2014

Excellent, thanks.