The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter describes how to configure the ASA for the Identity Firewall and includes the following sections:
This section includes the following topics:
In an enterprise, users often need access to one or more server resources. Typically, a firewall is not aware of the users’ identities and, therefore, cannot apply security policies based on identity. To configure per-user access policies, you must configure a user authentication proxy, which requires user interaction (a username/password query).
The Identity Firewall in the ASA provides more granular access control based on users’ identities. You can configure access rules and security policies based on user names and user group names rather than through source IP addresses. The ASA applies the security policies based on an association of IP addresses to Windows Active Directory login information and reports events based on the mapped usernames instead of network IP addresses.
The Identity Firewall integrates with Microsoft Active Directory in conjunction with an external Active Directory (AD) Agent that provides the actual identity mapping. The ASA uses Windows Active Directory as the source to retrieve the current user identity information for specific IP addresses and allows transparent authentication for Active Directory users.
Identity-based firewall services enhance the existing access control and security policy mechanisms by allowing users or groups to be specified in place of source IP addresses. Identity-based security policies can be interleaved without restriction between traditional IP address-based rules.
The Identity Firewall integrates with Window Active Directory in conjunction with an external Active Directory (AD) Agent that provides the actual identity mapping.
The identity firewall consists of three components:
Although Active Directory is part of the Identity Firewall on the ASA, Active Directory administrators manage it. The reliability and accuracy of the data depends on data in Active Directory.
Supported versions include Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2 servers.
The AD Agent runs on a Windows server. Supported Windows servers include Windows 2003, Windows 2008, and Windows 2008 R2.
Note Windows 2003 R2 is not supported for the AD Agent server.
Figure 39-1 show the components of the Identity Firewall. The succeeding table describes the roles of these components and how they communicate with one another.
Figure 39-1 Identity Firewall Components
The Identity Firewall includes the following key features.
You can deploy the components of the Identity Firewall in the following ways, depending on your environmental requirements.
Figure 39-2 shows how you can deploy the components of the Identity Firewall to allow for redundancy. Scenario 1 shows a simple installation without component redundancy. Scenario 2 also shows a simple installation without redundancy. However, in this deployment scenario, the Active Directory server and AD Agent are co-located on the same Windows server.
Figure 39-2 Deployment Scenario without Redundancy
Figure 39-3 shows how you can deploy the Identity Firewall components to support redundancy. Scenario 1 shows a deployment with multiple Active Directory servers and a single AD Agent installed on a separate Windows server. Scenario 2 shows a deployment with multiple Active Directory servers and multiple AD Agents installed on separate Windows servers.
Figure 39-3 Deployment Scenario with Redundant Components
Figure 39-4 shows how all Identity Firewall components—Active Directory server, the AD Agent, and the clients—are installed and communicate on the LAN.
Figure 39-4 LAN -based Deployment
Figure 39-5 shows a WAN-based deployment to support a remote site. The Active Directory server and the AD Agent are installed on the main site LAN. The clients are located at a remote site and connect to the Identity Firewall components over a WAN.
Figure 39-5 WAN-based Deployment
Figure 39-6 also shows a WAN-based deployment to support a remote site. The Active Directory server is installed on the main site LAN. However, the AD Agent is installed and accessed by the clients at the remote site. The remote clients connect to the Active Directory servers at the main site over a WAN.
Figure 39-6 WAN-based Deployment with Remote AD Agent
Figure 39-7 shows an expanded remote site installation. An AD Agent and Active Directory servers are installed at the remote site. The clients access these components locally when logging into network resources located at the main site. The remote Active Directory server must synchronize its data with the central Active Directory servers located at the main site.
Figure 39-7 WAN-based Deployment with Remote AD Agent and AD Servers
|
|
---|---|
This section includes the guidelines and limitations for this feature.
Supported in single and multiple context mode.
Supported in routed and transparent firewall modes.
Additional Guidelines and Limitations
– Group policy (except for VPN filters)
By design, if a previous download session has finished, the ASA does not allow you to issue this command again.
As a result, if the user-IP database is very large, the previous download session is not finished yet, and you issue another user-identity update active-user-database command, the following error message appears:
You need to wait until the previous session is completely finished, then you can issue another user-identity update active-user-database command.
Another example of this behavior occurs because of packet loss from the AD Agent to the ASA.
When you issue a user-identity update active-user-database command, the ASA requests the total number of user-IP mapped entries to be downloaded. Then the AD Agent initiates a UDP connection to the ASA and sends the change of authorization request packet.
If for some reason the packet is lost, there is no way for the ASA to discern this. As a result, the ASA holds the session for 4-5 minutes, during which time this error message continues to appear if you have issued the user-identity update active-user-database command.
– Authentication port for UDP—1645
– Accounting port for UDP—1646
The listening port is used to send change of authorization requests from the CDA to the ASA or to the WSA.
Before configuring the Identity Firewall in the ASA, you must meet the prerequisites for the AD Agent and Microsoft Active Directory.
Note Windows 2003 R2 is not supported for the AD Agent server.
Note Before running the AD Agent Installer, you must install the patches listed in the README First for the Cisco Active Directory Agent on each Microsoft Active Directory server that the AD Agent monitors. These patches are required even when the AD Agent is installed directly on the domain controller server.
To configure the Identity Firewall, perform the following tasks:
Step 1 Configure the Active Directory domain in the ASA.
See Configuring the Active Directory Domain and the Configuring Active Directory Server Groups.
See also the Deployment Scenarios for the ways in which you can deploy the Active Directory servers to meet your environment requirements.
Step 2 Configure the AD Agent in ASA.
See Configuring Active Directory Server Groups and the Configuring Active Directory Agent Groups.
See also Deployment Scenarios for the ways in which you can deploy the AD Agents to meet your environment requirements.
Step 3 Configure Identity Options.
See Configuring Identity Options.
Step 4 Configure Identity-based Security Policy. After the AD domain and AD Agent are configured, you can create identity-based object groups and ACLs for use in many features.
See Configuring Identity-Based Security Policy.
Active Directory domain configuration on the ASA is required for the ASA to download Active Directory groups and accept user identities from specific domains when receiving IP-user mapping from the AD Agent.
To configure the Active Directory domain, perform the following steps:
Step 1 Choose Configuration > Firewall > Identity Options.
Step 2 If necessary, check the Enable User Identity check box to enable user identity.
Step 3 In the Domains section, click Add or select a domain from the list and click Edit.
The Domain dialog box appears.
Step 4 In the Domain NETBIOS Name field, enter a name up to 32 characters consisting of [a-z], [A-Z], [0-9], [!@#$%^&()-_=+[]{};,. ] except '.' and ' ' at the first character. If the domain name includes a space, you must enclose that space character in quotation marks. The domain name is not case sensitive.
When you edit the name of an existing domain, the domain name associated with existing users and user groups is not changed.
Step 5 From the AD Server Group list, select the Active Directory servers to associate with this domain or click Manage to add a new server group to the list. See Configuring Active Directory Server Groups.
Step 6 Click OK to save the domain settings and close this dialog box.
See Configuring Active Directory Server Groups and the Configuring Active Directory Agent Groups.
To configure the Active Directory server group, perform the following steps:
Step 1 Choose Configuration > Firewall > Identity Options > Add > Manage.
The Configure Active Directory Server Groups dialog box appears.
Step 2 To add an Active Directory server group for the Identify Firewall, click Add.
The Add Active Directory Server Group dialog box appears.
Step 3 To add servers to an Active Directory server group, select the group from the Active Directory Server Groups list, then click Add.
The Add Active Directory Server dialog box appears.
Step 4 Click OK to save the settings and close this dialog box.
See Configuring Active Directory Agents and the Configuring Active Directory Agent Groups.
Make sure that you have the following information before configuring the AD Agents:
To configure the AD Agents, perform the following steps:
Step 1 Choose Configuration > Firewall > Identity Options.
Step 2 If necessary, check the Enable User Identity check box to enable the feature.
Step 3 In the Active Directory Agent section, click Manage.
The Configure Active Directory Agents dialog box appears.
Step 4 To add an AD Agent, click the Add button. Alternatively, choose an agent group from the list and click Edit.
To continue, see Configuring Active Directory Agent Groups.
Step 5 Click OK to save your changes.
Configure AD Agent groups. See Configuring Active Directory Agent Groups.
Configure access rules for the Identity Firewall. See Configuring Identity-Based Security Policy.
Configure the primary and secondary AD Agents for the AD Agent Server Group. When the ASA detects that the primary AD Agent is not responding and a secondary agent is specified, the ASA switches to the secondary AD Agent. The Active Directory server for the AD agent uses RADIUS as the communication protocol; therefore, you should specify a key attribute for the shared secret between the ASA and AD Agent.
To configure the AD Agent Groups, perform the following steps:
Step 1 From the Configure Active Directory Agents dialog box, click Add.
The Add Active Directory Agent Group dialog box appears.
Step 2 Enter a name for the AD Agent group.
Step 3 From the Primary Active Directory Agent section, specify the interface on which the ASA listens for traffic from the AD Agent server, and enter the FQDN of the server or IP address.
Step 4 In the Primary Active Directory Agent section, enter a timeout interval and the retry interval for the attempts that the ASA will continue to contact the AD Agent when it is not responding.
Step 5 Enter the shared secret key that is used between the primary AD Agent and the ASA.
Step 6 From the Secondary Active Directory Agent section, specify the interface on which the ASA listens for traffic from the AD Agent server, and enter the FQDN of the server or IP address.
Step 7 In the Secondary Active Directory Agent section, enter a timeout interval and the retry interval for the the attempts that the ASA will continue to perform to contact the AD Agent when it is not responding.
Step 8 Enter the shared secret key that is used between the secondary AD Agent and the ASA.
Step 9 Click OK to save your changes and close this dialog box.
Configure access rules for the Identity Firewall. See Configuring Identity-Based Security Policy.
Use this pane to add or edit the Identity Firewall feature; check the Enable check box to enable the feature. By default, the Identity Firewall feature is disabled.
Before configuring the identify options for the Identity Firewall, you must meet the prerequisites for the AD Agent and Microsoft Active Directory. See Prerequisites for the requirements of the AD Agent and Microsoft Active Directory installation.
To configure the Identity Options for the Identity Firewall, perform the following steps:
Step 1 Choose Configuration > Firewall > Identity Options.
Step 2 If necessary, check the Enable User Identity check box to enable the feature.
Step 3 To add a domain for the Identity Firewall, click Add to display the Add Domain dialog box.
Step 4 To continue, see Configuring the Active Directory Domain.
Step 5 For domains that have already been added to the Domains list, check whether to disable rules when the domain is down because the Active Directory domain controller is not responding.
When a domain is down and this option is checked for that domain, the ASA disables the user identity rules associated with the users in that domain. Additionally, the status of all user IP addresses in that domain is marked as disabled in the Monitoring > Properties > Identity > Users pane.
Step 6 From the Default Domain drop-down list, select the default domain for the Identity Firewall.
The default domain is used for all users and user groups when a domain has not been explicitly configured for those users or groups. When a default domain is not specified, the default domain for users and groups is LOCAL.
Additionally, the Identity Firewall uses the LOCAL domain for all locally defined user groups or locally defined users (users who log in and authenticate by using a VPN or web portal).
Note The default domain name that you select must match the NetBIOS domain name configured on the Active Directory domain controller. If the domain name does not match, the AD Agent incorrectly associates the user-IP mapping with the domain name that you entered when configuring the ASA.
To view the NetBIOS domain name, open the Active Directory user event security log in any text editor.
For multiple context modes, you can set a default domain name for each context, as well as within the system execution space.
Step 7 In the Active Directory Agent section, select the AD Agent group from the drop-down list. To add AD Agent groups, click Manage. For more information, see Configuring Active Directory Agents.
Step 8 In the Hello Timer field, enter a number between 10 to 65535 seconds.
The hello timer between the ASA and the AD Agent defines how frequently the ASA exchanges hello packets. The ASA uses the hello packet to obtain ASA replication status (in-sync or out-of-sync) and domain status (up or down). If the ASA does not receive a response from the AD Agent, it resends a hello packet after the specified interval.
Specify the number of times that the ASA will continue to send hello packets to the AD Agent. By default, the number of seconds is set to 30 and the retry times is set to 5.
Step 9 Check the Enable Event Timestamp check box to enable the ASA to keep track of the last event time stamp that it receives for each identifier and to discard any message if the event time stamp is at least 5 minutes older than the ASA’s clock, or if its time stamp is earlier than the last event’s time stamp.
For a newly booted ASA that does not have knowledge of the last event time stamp, the ASA compares the event time stamp with its own clock. If the event is at least 5 minutes older, the ASA does not accept the message.
We recommend that you configure the ASA, Active Directory, and Active Directory agent to synchronize their clocks among themselves using NTP
Step 10 In the Poll Group Timer field, enter the number of hours that the ASA uses to query the DNS server to resolve fully qualified domain names (FQDN). By default, the poll timer is set to 4 hours.
Step 11 In the Retrieve User Information, select an option from the list:
Note Selecting On Demand has the benefit of using less memory because only users of received packets are queried and stored.
Step 12 In the Error Conditions section, select whether to disable rules if the AD Agent is not responding.
When the AD Agent is down and this option is selected, the ASA disables the user identity rules associated with the users in that domain. Additionally, the status of all user IP addresses in that domain are marked as disabled in the Monitoring > Properties > Identity > Users pane.
Step 13 In the Error Conditions section, select whether to remove a user’s IP address when the NetBIOS probe fails.
Selecting this option specifies the action when NetBIOS probing to a user is blocked (for example, the user client does not respond to a NetBIOS probe). The network connection might be blocked to that client or the client is not active. When this option is selected, the ASA disables the identity rules associated with that user’s IP address.
Step 14 In the Error Conditions section, choose whether or not to remove a user’s MAC address when it is inconsistent with the IP address that the ASA has currently mapped to that MAC address. When this option is selected, the ASA disables the user identity rules associated with the specific user.
Step 15 In the Error Conditions section, choose whether to track users that are not found.
Step 16 In the Users section, choose the Idle Timeout option and enter a time in minutes, from 1 minute to 65535. By default, the idle timeout is set to 60 minutes.
Enabling this option configures a timer when an active user is considered idle, meaning the ASA does not receive traffic from the user’s IP address for more than the specified time. After the timer expires, the user’s IP address is marked inactive and removed from the local cached IP-user database and the ASA no longer notifies the AD Agent about that IP address. Existing traffic is still allowed to pass. When the Idle Timeout option is enabled, the ASA runs an inactive timer even when the NetBIOS Logout Probe is configured.
Note The Idle Timeout option does not apply to VPN or cut-through proxy users.
Step 17 In the NetBIOS Logout Probe section, enable NetBIOS probing and set the probe timer (from 1 to 65535 minutes) before a user's IP addresses is probed and the retry interval (from 1 to 256 retries) between retry probes.
Enabling this option configures how often the ASA probes the user host to determine whether the user client is still active. To minimize the NetBIOS packets, ASA only sends a NetBIOS probe to the client when the user has been idle for more than the specified number of minutes in the Idle Timeout minutes field.
Step 18 In the NetBIOS Logout Probe section, select an option from the User Name list:
Step 19 Click Apply to save the Identity Firewall configuration.
Configure the Active Directory domain and server groups. See Configuring the Active Directory Domain and the Configuring Active Directory Server Groups.
Configure AD Agents. See Configuring Active Directory Server Groups.
You can incorporate identity-based policy in many ASA features. Any feature that uses extended ACLs (other than those listed as unsupported in the Guidelines and Limitations) can take advantage of an identity firewall. You can now add user identity arguments to extended ACLs, as well as network-based parameters.
Features that can use identity include the following:
For more information, see the legacy feature guide.
This section includes the following topic:
To monitor the AD Agent component of the Identity Firewall, perform the following steps:
Step 1 Choose Monitoring > Properties > Identity > AD Agent.
Step 2 Click Refresh to update the data in the pane.
This pane displays the following information about the primary and secondary AD Agents:
To monitor the user groups configured for the Identity Firewall, perform the following steps:
Step 1 Choose Monitoring > Properties > Identity > Group.
Step 2 To display a list of the access rules using the selected group, click Where used.
Step 3 Click Refresh to update the data in the pane.
This pane displays the list of user groups in the domain \ group_name format.
To monitor the memory usage that the Identity Firewall consumes on the ASA, perform the following steps:
Step 1 Choose Monitoring > Properties > Identity > Memory Usage.
Step 2 Click Refresh to update the data in the pane.
This pane displays the memory usage in bytes of various modules in the Identity Firewall:
The ASA sends an LDAP query for the Active Directory groups configured on the Active Directory server. The Active Directory server authenticates users and generates user login security logs.
Note How you configure the Identity Firewall to retrieve user information from the AD Agent affects the amount of memory used by the feature. You specify whether the ASA uses on-demand retrieval or full download retrieval. Choosing on-demand retrieval has the benefit of using less memory because only users of received packets are queried and stored. For more information, see Configuring Identity Options.
To display information about all users contained in the IP-user mapping database used by the Identity Firewall, perform the following steps:
Step 1 Choose Monitoring > Properties > Identity > User.
Note Active users are highlighted in green.
Step 2 To display additional information about an active user, select the user in the list and click Details. The Details button is enabled for active users only.
Step 3 To display a list of the access rules using the selected user, click Where used.
Step 4 Click Refresh to update the data in the pane.
This pane displays the following information for users:
The default domain name can be the real domain name, a special reserved word, or LOCAL. The Identity Firewall uses the LOCAL domain name for all locally defined user groups or locally defined users (users who log in and authenticate by using a VPN or web portal). When the default domain is not specified, the default domain is LOCAL.
The idle time is stored on a per-user basis instead of by the IP address of a user.
If the option to disable rules when the Active Directory server is down and the domain is down, or the option to disable rules in the AD Agent is down and the AD Agent is down, all the logged-in users have the disabled status. You configure these options in the Identity Options pane.
Alternatively, you can view statistics for users by accessing the Firewall Dashboard pane. The Firewall Dashboard tab lets you view important information about the traffic passing through your ASA. Choose the Home > Firewall Dashboard > Top Usage Statistics > Top 10 Users tab.
The Top 10 Users tab displays data only when you have configured the Identity Firewall feature in the ASA, which includes configuring these additional components—the Microsoft Active Directory and Cisco Active Directory (AD) Agent. For more information, see Configuring the Identity Firewall.
Depending on which option you choose, the Top 10 Users tab shows statistics for received EPS packets, sent EPS packets, and sent attacks for the top 10 users. For each user (displayed as domain \ user_name), the tab displays the average EPS packet, the current EPS packet, the trigger, and total events for that user.
Note The first three tabs in the Top Usage Status area display threat detection data and are unrelated to the Identity Firewall feature.
Table 39-1 lists the release history for this feature. ASDM is backwards-compatible with multiple platform releases, so the specific ASDM release in which support was added is not listed.