Monitoring users for the identity firewall – Cisco ASA 5505 User Manual

36-27

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 36 Configuring the Identity Firewall

Monitoring the Identity Firewall

Note

How you configure the Identity Firewall to retrieve user information from the AD Agent impacts the
amount of memory used by the feature. You specify whether the ASA uses on demand retrieval or full
download retrieval. Selecting On Demand has the benefit of using less memory as only users of
received packets are queried and stored. See

Configuring Identity Options, page 14

for a description of

these options.

Monitoring Users for the Identity Firewall

You can display information about all users contained in the IP-user mapping database used by the
Identity Firewall.

Use the following options of the show user-identity command to obtain troubleshooting information for
the AD Agent:

•

show user-identity user all list

•

show user-identity user active user domain\user-name list detail

These commands display the following information for users:

The default domain name can be the real domain name, a special reserved word, or LOCAL. The Identity
Firewall uses the LOCAL domain name for all locally defined user groups or locally defined users (users
who log in and authenticate by using a VPN or web portal). When default domain is not specified, the
default domain is LOCAL.

The idle time is stored on a per user basis instead of per the IP address of a user.

Note

The first three tabs in the

If the commands user-identity action domain-controller-down domain_name
disable-user-identity-rule is configured and the specified domain is down, or if user-identity action
ad-agent-down disable-user-identity-rule is configured and AD Agent is down, all the logged on users
have the status disabled.

domain\user_name

Active Connections

Minutes Idle