Configuring active directory agents – Cisco ASA 5505 User Manual

Page 725

Advertising
background image

36-13

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 36 Configuring the Identity Firewall

Task Flow for Configuring the Identity Firewall

Configuring Active Directory Agents

Periodically or on-demand, the AD Agent monitors the Active Directory server security event log file
via WMI for user login and logoff events. The AD Agent maintains a cache of user ID and IP address
mappings. and notifies the ASA of changes.

Configure the primary and secondary AD Agents for the AD Agent Server Group. When the ASA detects
that the primary AD Agent is not responding and a secondary agent is specified, the ASA switches to
secondary AD Agent. The Active Directory server for the AD agent uses RADIUS as the communication
protocol; therefore, you should specify a key attribute for the shared secret between ASA and AD Agent.

Requirement

AD agent IP address

Shared secret between ASA and AD agent

To configure the AD Agents, perform the following steps:

What to Do Next

Configure access rules for the Identity Firewall. See

Configuring Identity-based Access Rules, page 20

.

Command

Purpose

Step 1

hostname(config)# aaa-server server-tag protocol

radius

Example:

hostname(config)# aaa-server adagent protocol radius

Creates the AAA server group and configures AAA
server parameters for the AD Agent.

Step 1

hostname(config)# ad-agent-mode

Enables the AD Agent mode.

Step 2

hostname(config-aaa-server-group)# aaa-server

server-tag [(interface-name)] host {server-ip |

name} [key] [timeout seconds]

Example:

hostname(config-aaa-server-group)# aaa-server

adagent (inside) host 192.168.1.101

For the AD Agent, configures the AAA server as
part of a AAA server group and the AAA server
parameters that are host-specific.

Step 3

hostname(config-aaa-server-host)# key key

Example:

hostname(config-aaa-server-host)# key mysecret

Specifies the server secret value used to authenticate
the ASA to the AD Agent server.

Step 4

hostname(config-aaa-server-host)# user-identity

ad-agent

aaa-server aaa_server_group_tag

Examples:

hostname(config-aaa-server-hostkey )# user-identity

ad-agent aaa-server adagent

Defines the server group of the AD Agent.

The first server defined in aaa_server_group_tag
variable is the primary AD Agent and the second
server defined is the secondary AD Agent.

The Identity Firewall supports defining only two
AD-Agent hosts.

When ASA detects the primary AD Agent is down
and a secondary agent is specified, it switches to
secondary AD Agent. The aaa-server for the AD
agent uses RADIUS as the communication protocol,
and should specify key attribute for the shared secret
between ASA and AD Agent.

Step 5

hostname(config-aaa-server-host)# test aaa-server

ad-agent

Tests the communication between the ASA and the
AD Agent server.

Advertising