Prerequisites – Cisco ASA 5505 User Manual

Page 721

Advertising
background image

36-9

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 36 Configuring the Identity Firewall

Prerequisites

MAC address checking by the Identity Firewall does not work when intervening routers are present.
Users logged onto clients that are behind the same router have the same MAC addresses. With this
implementation, all the packets from the same router are able to pass the check, because the ASA is
unable to ascertain to the actual MAC addresses behind the router.

The following ASA features do not support using the identity-based object and FQDN:

route-map

Crypto map

WCCP

NAT

group-policy (except VPN filter)

DAP

See

Configuring Identity-based Access Rules, page 20

.

Prerequisites

Before configuring the Identity Firewall in the ASA, you must meet the prerequisites for the AD Agent
and Microsoft Active Directory.

AD Agent

The AD Agent must be installed on a Windows server that is accessible to the ASA. Additionally, you
must configure the AD Agent to obtain information from the Active Directory servers. Configure the AD
Agent to communicate with the ASA.

Supported Windows servers include Windows 2003, Windows 2008, and Windows 2008 R2.

Note

Windows 2003 R2 is not supported for the AD Agent server.

For the steps to install and configure the AD Agent, see the Installation and Setup Guide for the Active
Directory Agent
.

Before configuring the AD Agent in the ASA, obtain the secret key value that the AD Agent and the ASA
use to communicate. This value must match on both the AD Agent and the ASA.

Microsoft Active Directory

Microsoft Active Directory must be installed on a Windows server and accessible by the ASA. Supported
versions include Windows 2003, 2008, and 2008 R2 servers.

Before configuring the Active Directory server on the ASA, create a user account in Active Directory
for the ASA.

Additionally, the ASA sends encrypted log in information to the Active Directory server by using SSL
enabled over LDAP. SSL must be enabled on the Active Directory server. See the documentation for
Microsft Active Diretory for the steps to enable SSL for Active Directory.

Advertising