- About This Guide
-
- Information about AAA
- Configuring the Local Database for AAA
- Configuring RADIUS Servers for AAA
- Configuring TACACS+ Servers for AAA
- Configuring LDAP Servers for AAA
- Configuring Windows NT Servers for AAA
- Configuring the Identity Firewall
- Configuring the ASA to Integrate with Cisco TrustSec
- Configuring Digital Certificates
- Index
Configuring the Identity Firewall
This chapter describes how to configure the ASA for the Identity Firewall and includes the following sections:
Information About the Identity Firewall
This section includes the following topics:
- Overview of the Identity Firewall
- Architecture for Identity Firewall Deployments
- Features of the Identity Firewall
- Deployment Scenarios
Overview of the Identity Firewall
In an enterprise, users often need access to one or more server resources. Typically, a firewall is not aware of the users’ identities and, therefore, cannot apply security policies based on identity. To configure per-user access policies, you must configure a user authentication proxy, which requires user interaction (a username/password query).
The Identity Firewall in the ASA provides more granular access control based on users’ identities. You can configure access rules and security policies based on user names and user group names rather than through source IP addresses. The ASA applies the security policies based on an association of IP addresses to Windows Active Directory login information and reports events based on the mapped usernames instead of network IP addresses.
The Identity Firewall integrates with Microsoft Active Directory in conjunction with an external Active Directory (AD) Agent that provides the actual identity mapping. The ASA uses Windows Active Directory as the source to retrieve the current user identity information for specific IP addresses and allows transparent authentication for Active Directory users.
Identity-based firewall services enhance the existing access control and security policy mechanisms by allowing users or groups to be specified in place of source IP addresses. Identity-based security policies can be interleaved without restriction between traditional IP address-based rules.
Architecture for Identity Firewall Deployments
The Identity Firewall integrates with Window Active Directory in conjunction with an external Active Directory (AD) Agent that provides the actual identity mapping.
The identity firewall consists of three components:
Although Active Directory is part of the Identity Firewall on the ASA, Active Directory administrators manage it. The reliability and accuracy of the data depends on data in Active Directory.
Supported versions include Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2 servers.
The AD Agent runs on a Windows server. Supported Windows servers include Windows 2003, Windows 2008, and Windows 2008 R2.
Note Windows 2003 R2 is not supported for the AD Agent server.
Figure 38-1 show the components of the Identity Firewall. The succeeding table describes the roles of these components and how they communicate with one another.
Figure 38-1 Identity Firewall Components
Features of the Identity Firewall
The Identity Firewall includes the following key features.
- The ASA can retrieve user identity and IP address mapping from the AD Agent by querying the AD Agent for each new IP address or by maintaining a local copy of the entire user identity and IP address database.
- Supports host group, subnet, or IP address for the destination of a user identity policy.
- Supports a fully qualified domain name (FQDN) for the source and destination of a user identity policy.
- Supports the combination of 5-tuple policies with ID-based policies. The identity-based feature works in tandem with the existing 5-tuple solution.
- Supports use with IPS and Application Inspection policies.
- Retrieves user identity information from remote access VPN, AnyConnect VPN, L2TP VPN and cut-through proxy. All retrieved users are populated to all ASAs that are connected to the AD Agent.
- Each AD Agent supports 100 ASAs. Multiple ASAs are able to communicate with a single AD Agent to provide scalability in larger network deployments.
- Supports 30 Active Directory servers provided the IP address is unique among all domains.
- Each user identity in a domain can have up to 8 IP addresses.
- Supports up to 64,000 user identity-IP address mapped entries in active policies for the ASA 5500 Series models. This limit controls the maximum number of users who have policies applied. The total number of users are the aggregate of all users configured in all different contexts.
- Supports up to 1024 user identity-IP address mapped entries in active policies for the ASA 5505.
- Supports up to 256 user groups in active ASA policies.
- A single access rule can contain one or more user groups or users.
- Supports multiple domains.
- The ASA retrieves group information from the Active Directory and falls back to web authentication for IP addresses when the AD Agent cannot map a source IP address to a user identity.
- The AD Agent continues to function when any of the Active Directory servers or the ASA are not responding.
- Supports configuring a primary AD Agent and a secondary AD Agent on the ASA. If the primary AD Agent stops responding, the ASA can switch to the secondary AD Agent.
- If the AD Agent is unavailable, the ASA can fall back to existing identity sources such as cut-through proxy and VPN authentication.
- The AD Agent runs a watchdog process that automatically restarts its services when they are down.
- Allows a distributed IP address/user mapping database for use among ASAs.
Deployment Scenarios
You can deploy the components of the Identity Firewall in the following ways, depending on your environmental requirements.
Figure 38-2 shows how you can deploy the components of the Identity Firewall to allow for redundancy. Scenario 1 shows a simple installation without component redundancy. Scenario 2 also shows a simple installation without redundancy. However, in this deployment scenario, the Active Directory server and AD Agent are co-located on the same Windows server.
Figure 38-2 Deployment Scenario without Redundancy
Figure 38-3 shows how you can deploy the Identity Firewall components to support redundancy. Scenario 1 shows a deployment with multiple Active Directory servers and a single AD Agent installed on a separate Windows server. Scenario 2 shows a deployment with multiple Active Directory servers and multiple AD Agents installed on separate Windows servers.
Figure 38-3 Deployment Scenario with Redundant Components
Figure 38-4 shows how all Identity Firewall components—Active Directory server, the AD Agent, and the clients—are installed and communicate on the LAN.
Figure 38-4 LAN -based Deployment
Figure 38-5 shows a WAN-based deployment to support a remote site. The Active Directory server and the AD Agent are installed on the main site LAN. The clients are located at a remote site and connect to the Identity Firewall components over a WAN.
Figure 38-5 WAN-based Deployment
Figure 38-6 also shows a WAN-based deployment to support a remote site. The Active Directory server is installed on the main site LAN. However, the AD Agent is installed and accessed by the clients at the remote site. The remote clients connect to the Active Directory servers at the main site over a WAN.
Figure 38-6 WAN-based Deployment with Remote AD Agent
Figure 38-7 shows an expanded remote site installation. An AD Agent and Active Directory servers are installed at the remote site. The clients access these components locally when logging into network resources located at the main site. The remote Active Directory server must synchronize its data with the central Active Directory servers located at the main site.
Figure 38-7 WAN-based Deployment with Remote AD Agent and AD Servers
Licensing for the Identity Firewall
The following table shows the licensing requirements for this feature:
|
|
---|---|
Guidelines and Limitations
This section includes the guidelines and limitations for this feature.
Supported in single and multiple context mode.
Supported in routed and transparent firewall modes.
- The Identity Firewall supports user identity-IP address mapping and AD Agent status replication from active to standby when Stateful Failover is enabled. However, only user identity-IP address mapping, AD Agent status, and domain status are replicated. User and user group records are not replicated to the standby ASA.
- When failover is configured, the standby ASA must also be configured to connect to the AD Agent directly to retrieve user groups. The standby ASA does not send NetBIOS packets to clients even when the NetBIOS probing options are configured for the Identity Firewall.
- When a client is determined to be inactive by the active ASA, the information is propagated to the standby ASA. User statistics are not propagated to the standby ASA.
- When you have failover configured, you must configure the AD Agent to communicate with both the active and standby ASAs. See the Installation and Setup Guide for the Active Directory Agent for the steps to configure the ASA on the AD Agent server.
- Supports IPv6.
- The AD Agent supports endpoints with IPv6 addresses. It can receive IPv6 addresses in log events, maintain them in its cache, and send them through RADIUS messages.
- NetBIOS over IPv6 is not supported.
Additional Guidelines and Limitations
- A full URL as a destination address is not supported.
- For NetBIOS probing to function, the network between the ASA, AD Agent, and clients must support UDP-encapsulated NetBIOS traffic.
- MAC address checking by the Identity Firewall does not work when intervening routers are present. Users logged into clients that are behind the same router have the same MAC addresses. With this implementation, all the packets from the same router are able to pass the check, because the ASA is unable to ascertain the actual MAC addresses behind the router.
- The following ASA features do not support using the identity-based object and FQDN in an extended ACL:
– Group policy (except for VPN filters)
- You can use the user-identity update active-user-database command to actively initiate a user-IP address download from the AD agent.
By design, if a previous download session has finished, the ASA does not allow you to issue this command again.
As a result, if the user-IP database is very large, the previous download session is not finished yet, and you issue another user-identity update active-user-database command, the following error message appears:
You need to wait until the previous session is completely finished, then you can issue another user-identity update active-user-database command.
Another example of this behavior occurs because of packet loss from the AD Agent to the ASA.
When you issue a user-identity update active-user-database command, the ASA requests the total number of user-IP mapped entries to be downloaded. Then the AD Agent initiates a UDP connection to the ASA and sends the change of authorization request packet.
If for some reason the packet is lost, there is no way for the ASA to discern this. As a result, the ASA holds the session for 4-5 minutes, during which time this error message continues to appear if you have issued the user-identity update active-user-database command.
- When you use the Cisco Context Directory Agent (CDA) in conjunction with the ASA or Cisco Ironport Web Security Appliance (WSA), make sure that you open the following ports:
– Authentication port for UDP—1645
– Accounting port for UDP—1646
The listening port is used to send change of authorization requests from the CDA to the ASA or to the WSA.
- For domain names, the following characters are not valid: \/:*?"<>|. For naming conventions, see http://support.microsoft.com/kb/909264 .
- For usernames, the following characters are not valid: \/[]:;=,+*?"<>|@.
- For user group names, the following characters are not valid: \/[]:;=,+*?"<>|.
Prerequisites
Before configuring the Identity Firewall in the ASA, you must meet the prerequisites for the AD Agent and Microsoft Active Directory.
- The AD Agent must be installed on a Windows server that is accessible to the ASA. Additionally, you must configure the AD Agent to obtain information from the Active Directory servers and to communicate with the ASA.
- Supported Windows servers include Windows 2003, Windows 2008, and Windows 2008 R2.
Note Windows 2003 R2 is not supported for the AD Agent server.
- For the steps to install and configure the AD Agent, see the Installation and Setup Guide for the Active Directory Agent .
- Before configuring the AD Agent in the ASA, obtain the secret key value that the AD Agent and the ASA use to communicate. This value must match on both the AD Agent and the ASA.
- Microsoft Active Directory must be installed on a Windows server and accessible by the ASA. Supported versions include Windows 2003, 2008, and 2008 R2 servers.
- Before configuring the Active Directory server on the ASA, create a user account in Active Directory for the ASA.
- Additionally, the ASA sends encrypted log-in information to the Active Directory server by using SSL enabled over LDAP. SSL must be enabled on the Active Directory server. See the documentation for Microsoft Active Directory for how to enable SSL for Active Directory.
Note Before running the AD Agent Installer, you must install the patches listed in the README First for the Cisco Active Directory Agent on each Microsoft Active Directory server that the AD Agent monitors. These patches are required even when the AD Agent is installed directly on the domain controller server.
Configuring the Identity Firewall
Task Flow for Configuring the Identity Firewall
To configure the Identity Firewall, perform the following tasks:
Step 1 Configure the Active Directory domain in the ASA.
See the “Configuring the Active Directory Domain” section.
See also the “Deployment Scenarios” section for the ways in which you can deploy the Active Directory servers to meet your environment requirements.
Step 2 Configure the AD Agent in ASA.
See the “Configuring Active Directory Agents” section.
See also “Deployment Scenarios” section for the ways in which you can deploy the AD Agents to meet your environment requirements.
Step 3 Configure Identity Options.
See the “Configuring Identity Options” section.
Step 4 Configure Identity-based Security Policy. After the AD domain and AD Agent are configured, you can create identity-based object groups and ACLs for use in many features.
See the “Configuring Identity-Based Security Policy” section.
Configuring the Active Directory Domain
Active Directory domain configuration on the ASA is required for the ASA to download Active Directory groups and accept user identities from specific domains when receiving IP-user mapping from the AD Agent.
Prerequisites
- Active Directory server IP address
- Distinguished Name for LDAP base DN
- Distinguished Name and password for the Active Directory user that the Identity Firewall uses to connect to the Active Directory domain controller
To configure the Active Directory domain, perform the following steps:
Configuring Active Directory Agents
Configure the primary and secondary AD Agents for the AD Agent Server Group. When the ASA detects that the primary AD Agent is not responding and a secondary agent is specified, the ASA switches to the secondary AD Agent. The Active Directory server for the AD agent uses RADIUS as the communication protocol; therefore, you should specify a key attribute for the shared secret between the ASA and AD Agent.
Make sure that you have the following information before configuring the AD Agents:
To configure the AD Agents, perform the following steps:
What to Do Next
Configure access rules for the Identity Firewall. See the “Configuring Identity-Based Security Policy” section.
Configuring Identity Options
Perform this procedure to add or edit the Identity Firewall feature; check the Enable check box to enable the feature. By default, the Identity Firewall feature is disabled.
Prerequisites
Before configuring the identify options for the Identity Firewall, you must meet the prerequisites for the AD Agent and Microsoft Active Directory. See the “Prerequisites” section for the requirements of the AD Agent and Microsoft Active Directory installation.
To configure the Identity Options for the Identity Firewall, perform the following steps:
What to Do Next
Configure the Active Directory domain and server groups. See the “Configuring the Active Directory Domain” section.
Configure AD Agents. See the “Configuring Active Directory Agents” section.
Configuring Identity-Based Security Policy
You can incorporate identity-based policy in many ASA features. Any feature that uses extended ACLs (other than those listed as unsupported in the “Guidelines and Limitations” section) can take advantage of an identity firewall. You can now add user identity arguments to extended ACLs, as well as network-based parameters.
- To configure an extended ACL, see Chapter19, “Adding an Extended Access Control List”
- To configure local user groups, which can be used in the ACL, see the “Configuring Local User Groups” section.
Features that can use identity include the following:
- Access rules—An access rule permits or denies traffic on an interface using network information. With an identity firewall, you can control access based on user identity. See Chapter 6, “Configuring Access Rules,” in the firewall configuration guide.
- AAA rules—An authentication rule (also known as cut-through proxy) controls network access based on the user. Because this function is very similar to an access rule plus an identity firewall, AAA rules can now be used as a backup method of authentication if a user’s AD login expires. For example, for any user without a valid login, you can trigger a AAA rule. To ensure that the AAA rule is only triggered for users that do not have valid logins, you can specify special usernames in the extended ACL used for the access rule and for the AAA rule: None (users without a valid login) and Any (users with a valid login). In the access rule, configure your policy as usual for users and groups, but then include a AAA rule that permits all None users; you must permit these users so they can later trigger a AAA rule. Then, configure a AAA rule that denies Any users (these users are not subject to the AAA rule, and were handled already by the access rule), but permits all None users. For example:
For more information, see Chapter 7, “Configuring AAA Rules for Network Access,” in the firewall configuration guide.
- Cloud Web Security—You can control which users are sent to the Cloud Web Security proxy server. In addition, you can configure policy on the Cloud Web Security ScanCenter that is based on user groups that are included in ASA traffic headers sent to Cloud Web Security. See Chapter 25, “Configuring the ASA for Cisco Cloud Web Security,” in the firewall configuration guide.
- VPN filter—Although a VPN does not support identity firewall ACLs in general, you can configure the ASA to enforce identity-based access rules on VPN traffic. By default, VPN traffic is not subject to access rules. You can force VPN clients to abide by access rules that use an identity firewall ACL (with the no sysopt connection permit-vpn command). You can also use an identity firewall ACL with the VPN filter feature; a VPN filter accomplishes a similar effect as allowing access rules in general.
Collecting User Statistics
To activate the collection of user statistics by the Modular Policy Framework and match lookup actions for the Identify Firewall, enter the following command:
Configuration Examples
This section includes the following topics:
AAA Rule and Access Rule Example 1
This example shows a typical cut-through proxy configuration to allow a user to log in through the ASA. In this example, the following conditions apply:
- The ASA IP address is 172.1.1.118.
- The Active Directory domain controller has the IP address 71.1.2.93.
- The end-user client has the IP address 172.1.1.118 and uses HTTPS to log in through a web portal.
- The user is authenticated by the Active Directory domain controller via LDAP.
- The ASA uses the inside interface to connect to the Active Directory domain controller on the corporate network.
AAA Rule and Access Rule Example 2
In this example, the following guidelines apply:
- In access list commands, permit user NONE rules should be written before entering the access-list 100 ex deny any any command to allow unauthenticated incoming users to trigger AAA cut-through proxy.
- In the auth access-list command, permit user NONE rules guarantee only unauthenticated trigger cut-through proxy. Ideally, they should be the last lines.
VPN Filter Example
Some traffic might need to bypass the Identity Firewall.
The ASA reports users logging in through VPN authentication or a web portal (cut-through proxy) to the AD Agent, which distributes the user information to all registered ASA devices. Specifically, the IP-user mapping of authenticated users is forwarded to all ASA contexts that include the input interface where HTTP/HTTPS packets are received and authenticated. The ASA designates users logging in through a VPN as belonging the LOCAL domain.
There are two different ways to apply identity firewall (IDFW) rules to VPN users:
VPN with IDFW Rule -1 Example
By default, the sysopt connection permit-vpn command is enabled and VPN traffic is exempted from an access list check. To apply interface-based ACL rules for VPN traffic, VPN traffic access list bypassing needs to be disabled.
In this example, if the user logs in from the outside interface, the IDFW rules control which network resources are accessible. All VPN users are to be stored under the LOCAL domain. Therefore, it is only meaningful to apply the rules for LOCAL users or object groups that include LOCAL users.
VPN with IDFW Rule -2 Example
By default, the sysopt connection permit-vpn command is enabled, with VPN traffic access bypassing enabled. A VPN filter can be used to apply the IDFW rules to the VPN traffic. A VPN filter with IDFW rules can be defined in the CLI username and group policy.
In the example, when user idfw logs in, the user can access network resources in the 10.0.00/24 subnet. However, when user user1 logs in, access to network resources in 10.0.00/24 subnet is denied. Note that all VPN users are stored under the LOCAL domain. Therefore, it is only meaningful to apply the rules for LOCAL users or object groups that include LOCAL users.
Note IDFW rules can only be applied to VPN filters under group policy and are not available in all of the other group policy features.
Monitoring the Identity Firewall
This section includes the following topics:
- Monitoring AD Agents
- Monitoring Groups
- Monitoring Memory Usage for the Identity Firewall
- Monitoring Users for the Identity Firewall
Monitoring AD Agents
To obtain troubleshooting information for the AD Agent, use one of the following commands:
These commands display the following information about the primary and secondary AD Agents:
Monitoring Groups
To obtain troubleshooting information for the user groups configured for the Identity Firewall, use the show user-identity group command.
Monitoring Memory Usage for the Identity Firewall
To obtain troubleshooting information for memory usage for the Identity Firewall, use the show user-identity memory command.
The command displays the memory usage in bytes of various modules in the Identity Firewall:
The ASA sends an LDAP query for the Active Directory groups configured on the Active Directory server. The Active Directory server authenticates users and generates user login security logs.
Note How you configure the Identity Firewall to retrieve user information from the AD Agent affects the amount of memory used by the feature. You specify whether the ASA uses on-demand retrieval or full download retrieval. Choosing on-demand retrieval has the benefit of using less memory because only users of received packets are queried and stored. For more information, see the “Configuring Identity Options” section.
Monitoring Users for the Identity Firewall
To obtain troubleshooting information for the AD Agent, enter one of the following commands:
These commands display the following information for users:
The default domain name can be the real domain name, a special reserved word, or LOCAL. The Identity Firewall uses the LOCAL domain name for all locally defined user groups or locally defined users (users who log in and authenticate by using a VPN or web portal). When the default domain is not specified, the default domain is LOCAL.
The idle time is stored on a per-user basis instead of by the IP address of a user.
If the command user - identity action domain - controller - down domain _ name disable - user - identity - rule is configured and the specified domain is down, or if the user - identity action ad - agent - down disable - user - identity - rule command is configured and the AD Agent is down, all the logged-in users have the disabled status.
Feature History for the Identity Firewall
Table 38-1 lists the release history for this feature.