Testing at the moment identity firewalling with a Cisco ASA for a new office network infrastructure.
From the configuration everything is straight forward and easy to set-up:
1. Configure AAA LDAP Server
aaa-server addomain.net protocol ldap
aaa-server addomain.net (INSIDE) host 10.1.0.1
ldap-base-dn DC=addomain,DC=net
ldap-group-base-dn DC=addomin,DC=net
ldap-scope subtree
server-type microsoft
server-port 389
ldap-login-dn *username*
ldap-login-password *password*
exit
If you use ldap over SSL you need to enable it and change the server port!
2. Configure Windows Cisco AD Agent
Install the Cisco AD Agent on one of your Windows Servers, not the Domain Controller if you also want to use NPS!
adacfg client create –name ASA5515 –ip 10.1.0.250/32 –secret secretpresharedkey
adacfg dc create -name DC01 -host DC01.addomain.net -domain addomain.net -user Administrator -password *password*
2.1 Check Windows AD Agent Configuration
C:\IBF\CLI\adactrl.exe show running
C:\IBF\CLI\adacfg.exe client list
C:\IBF\CLI\adacfg.exe dc list
3 Configure AG Agent on the ASA
aaa-server adagent protocol radius
ad-agent-mode
aaa-server adagent (INSIDE) host 10.1.0.2
key secretpresharedkey
user-identity ad-agent aaa-server adagent
4. Configure Identity option on the ASA
user-identity domain ADDOMAIN aaa-server addomain.net
user-identity default-domain ADDOMAIN
5. Example Object and Access List Configuration
object-group user USERNAME
user ADDOMAIN\user1
exit
object-group user GROUPNAME
user-group ADDOMAIN\IT-ADMINs
exit
access-list INSIDE-IN extended permit ip user ADDOMAIN\user1 any host 10.1.1.1
access-list INSIDE-IN extended permit ip user-group ADDOMAIN\\ADMINs any host 10.1.1.1
access-list INSIDE-IN extended permit ip object-group-user GROUPNAME any host 20.1.1.1
More information about how to configure identity firewalling you find here: Configuring the Identity Firewall