Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4641
Views
1
Helpful
1
Replies

Difference between "user-identity domain" & "user-identity default-domain"

AlexFer
Level 1
Level 1

‎03-06-2020 08:43 PM - edited ‎03-06-2020 08:46 PM

Hi Experts,

ASA configuration guide lists both "user-identity domain" and "user-identity default-domain" in relations to a single identity-firewall configuration, often with same "nickname" and "NETBIOS_name" respectively, (IMO) without clarifying the specifics of each commands.

What does each command do, and are they independent of each other?

R's, Alex

0 Helpful
1 Reply 1

Cristian Matei
VIP Alumni
VIP Alumni

‎03-07-2020 04:12 AM

Hi,

 

    When you define a "user-identity-domain" you link it to a pre-defined AAA LDAP servers, and this feature is used for user-group mapping polling:

 

aaa-server FIRST_DOMAIN protocol ldap

aaa-server (INSIDE) FIRST_DOMAIN host 10.10.10.10

  ldap-base-dn dc=colocvium,dc=com

 !

aaa-server SECOND_DOMAIN protocol ldap

aaa-server (INSIDE) SECOND_DOMAIN host 20.20.20.20

 ldap-base-dn dc=cisco,dc=com

!

  When you configure the identity-based rules in your ACL, if you fail/forget to specify also the domain name for the user, it will pick up the configured domain from "user-identity default-domain", which by default is LOCAL (meaning the LOCAL user database); this is the scope of this command. If you want to change it from the default of "LOCAL" to something custom, it needs to be one of the domain previously configured via the aaa-server protocol ldap commands, otherwise it gives an error, which makes sense.

 

Regards,

Cristian Matei.

   

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card