Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
797
Views
0
Helpful
4
Replies

Identity FW on ASA5515X, 5525X, 5545X

radekpitr
Level 1
Level 1

‎05-27-2013 06:13 AM - edited ‎03-11-2019 06:49 PM

Hello,

I`m preparing Testing environment with Identity option feature.

Currently I have tested this with 5505 and 5520 where Users authenticated in AD controller was able to pass rules on ASA  using AD-agent on WIN08.

Ma question is if this is supported on new models 5515X, 5525X and 5545X also with basic HW. Documentation saing that this feature is part of CX and SSD is needed to run it. Where SSD is supported from version 9.1.(1) but "Identity option" is supported from version 8.6.(1) where all features are inherited from 8.4(2)

I don`t wanna use CX feature and don`t wanna pay for SSD as its not cheap.

Have anyone experiances with this feature on new models?

THX Radek

Labels:
0 Helpful
4 Replies 4

Marvin Rhoads
Hall of Fame
Hall of Fame

‎05-27-2013 11:49 AM

The Identitiy firewall features are supported on all of the 55x5-X series whether or not they have the CX module.

CX adds additional functionality further leveraging identity.

0 Helpful

radekpitr
Level 1
Level 1
In response to Marvin Rhoads

‎05-29-2013 05:40 AM

Hi,

Thx for  quick answer!

Do you know what could be increase of hardware usage on AD controllers

and what would be needed  bandwidth and maximum delay on WAN as some AD controllers could be located in another country/location for CDA ?

Thanks for answer in advance!

Radek

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to radekpitr

‎05-29-2013 06:04 AM

There should not be significant additional load on the AD domain controllers. Likewise the authentication traffic should not introduce significant bandwidth consumption. The packets are of minimal size.

The ASA is very patient about waiting for replies (12 second timeout) - you will more likely have users complaining before the system timeout causes authentication to fail.

Best practices for Active Directory deployment would have you establishing domain controllers at the site (or at least in the region) of your remote users so that the possibility of bandwidth and latency issues (and availability!) for all authentication functions (not just those needed by Identity Firewall) are minimized.

0 Helpful

radekpitr
Level 1
Level 1
In response to Marvin Rhoads

‎05-29-2013 06:20 AM

We are not able to introduse CDA on all sites worldwide as ASA is not able to sopport more then one AD-agent (secound one is just standby)

users at first time would not pass FW as they would be inside network and authentication would be used to get "outside" so there should not be problem with user complaining i guess

I would be affraid about reliability as CDA has to suck info from remote AD and then pass to ASA (using WAN) mostly located on same remote location where there could be up to 40 locations worlwide

Have you ane experinces with this kind of solutiuon ?

Thanks for answer in adnavce!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card