Cisco ASA 5505 User Manual
Page 731
 
36-19
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter 36 Configuring the Identity Firewall
Task Flow for Configuring the Identity Firewall
What to Do Next
Configure the Active Directory domain and server groups. See
Configuring the Active Directory
.
Configure AD Agents. See
Configuring Active Directory Agents, page 13
.
Step 12
hostname(config)# user-identity ad-agent
active-user-database
{on-demand|full-download}
Example:
hostname(config)# user-identity ad-agent
active-user-database full-download
Defines how the ASA retrieves the user identity-IP 
address mapping information from the AD Agent: 
•
full-download—Specifies that the ASA send a 
request to the AD Agent to download the entire 
IP-user mapping table when the ASA starts and 
then to receive incremental IP-user mapping 
when users log in and log out.
•
on-demand—Specifies that the ASA retrieve 
the user mapping information of an IP address 
from the AD Agent when the ASA receives a 
packet that requires a new connection and the 
user of its source IP address is not in the 
user-identity database.
By default, the ASA 5505, uses the on-demand 
option. The other ASA platforms use the 
full-download option. 
Full downloads are event driven, meaning that 
subsequent requests to download the database, send 
just the updates to the user identity-IP address 
mapping database. 
When the ASA registers a change request with the 
AD Agent, the AD Agent sends a new event to the 
ASA. 
Step 13
hostname(config)# user-identity ad-agent hello-timer
seconds
seconds retry-times number
Example:
hostname(config)# user-identity ad-agent hello-timer
seconds 20 retry-times 3
Defines the hello timer between the ASA and the AD 
Agent.
The hello timer between the ASA and the AD Agent 
defines how frequently the ASA exchanges hello 
packets. The ASA uses the hello packet to obtain 
ASA replication status (in-sync or out-of-sync) and 
domain status (up or down). If the ASA does not 
receive a response from the AD Agent, it resends a 
hello packet after the specified interval. 
By default, the hello timer is set to 30 seconds and 5 
retries. 
Step 14
hostname(config)# user-identity ad-agent aaa-server
aaa_server_group_tag
Example:
hostname(config)# user-identity ad-agent aaa-server
adagent
Defines the server group of the AD Agent.
For aaa_server_group_tag, enter the value defined 
by the aaa-server command.
Command
Purpose