Cisco ASA 5505 User Manual

Page 731

Advertising
background image

36-19

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 36 Configuring the Identity Firewall

Task Flow for Configuring the Identity Firewall

What to Do Next

Configure the Active Directory domain and server groups. See

Configuring the Active Directory

Domain, page 11

.

Configure AD Agents. See

Configuring Active Directory Agents, page 13

.

Step 12

hostname(config)# user-identity ad-agent

active-user-database

{on-demand|full-download}

Example:

hostname(config)# user-identity ad-agent

active-user-database full-download

Defines how the ASA retrieves the user identity-IP
address mapping information from the AD Agent:

full-download—Specifies that the ASA send a
request to the AD Agent to download the entire
IP-user mapping table when the ASA starts and
then to receive incremental IP-user mapping
when users log in and log out.

on-demand—Specifies that the ASA retrieve
the user mapping information of an IP address
from the AD Agent when the ASA receives a
packet that requires a new connection and the
user of its source IP address is not in the
user-identity database.

By default, the ASA 5505, uses the on-demand
option. The other ASA platforms use the
full-download option.

Full downloads are event driven, meaning that
subsequent requests to download the database, send
just the updates to the user identity-IP address
mapping database.

When the ASA registers a change request with the
AD Agent, the AD Agent sends a new event to the
ASA.

Step 13

hostname(config)# user-identity ad-agent hello-timer

seconds

seconds retry-times number

Example:

hostname(config)# user-identity ad-agent hello-timer

seconds 20 retry-times 3

Defines the hello timer between the ASA and the AD
Agent.

The hello timer between the ASA and the AD Agent
defines how frequently the ASA exchanges hello
packets. The ASA uses the hello packet to obtain
ASA replication status (in-sync or out-of-sync) and
domain status (up or down). If the ASA does not
receive a response from the AD Agent, it resends a
hello packet after the specified interval.

By default, the hello timer is set to 30 seconds and 5
retries.

Step 14

hostname(config)# user-identity ad-agent aaa-server

aaa_server_group_tag

Example:

hostname(config)# user-identity ad-agent aaa-server

adagent

Defines the server group of the AD Agent.

For aaa_server_group_tag, enter the value defined
by the aaa-server command.

Command

Purpose

Advertising
This manual is related to the following products:

ASA 5585-X, ASA 5555-X, ASA 5545-X, ASA 5525-X, ASA 5515-X, ASA 5512-X, ASA 5580, ASA 5550, ASA 5540, ASA 5520, ASA 5510, ASA 5500 Series

Popular Brands
Popular manuals