Cisco ASA Identity Firewall

Testing at the moment identity firewalling with a Cisco ASA for a new office network infrastructure.

From the configuration everything is straight forward and easy to set-up:

1. Configure AAA LDAP Server

aaa-server protocol ldap
aaa-server (INSIDE) host
    ldap-base-dn DC=addomain,DC=net
    ldap-group-base-dn DC=addomin,DC=net
    ldap-scope subtree
    server-type microsoft
    server-port 389 
    ldap-login-dn *username*
    ldap-login-password *password*

If you use ldap over SSL you need to enable it and change the server port!

2. Configure Windows Cisco AD Agent

Install the Cisco AD Agent on one of your Windows Servers, not the Domain Controller if you also want to use NPS!

adacfg client create –name ASA5515 –ip –secret secretpresharedkey 
adacfg dc create -name DC01 -host -domain -user Administrator -password *password*

2.1 Check Windows AD Agent Configuration

C:\IBF\CLI\adactrl.exe show running
C:\IBF\CLI\adacfg.exe client list
C:\IBF\CLI\adacfg.exe dc list

3 Configure AG Agent on the ASA

aaa-server adagent protocol radius

aaa-server adagent (INSIDE) host
    key secretpresharedkey
    user-identity ad-agent aaa-server adagent

4. Configure Identity option on the ASA

user-identity domain ADDOMAIN aaa-server
user-identity default-domain ADDOMAIN

5. Example Object and Access List Configuration

object-group user USERNAME
    user ADDOMAIN\user1

object-group user GROUPNAME
    user-group ADDOMAIN\IT-ADMINs

access-list INSIDE-IN extended permit ip user ADDOMAIN\user1 any host
access-list INSIDE-IN extended permit ip user-group ADDOMAIN\\ADMINs any host
access-list INSIDE-IN extended permit ip object-group-user GROUPNAME any host

More information about how to configure identity firewalling you find here: Configuring the Identity Firewall

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.