Cisco ASA 5505 User Manual

36-23

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 36 Configuring the Identity Firewall

Task Flow for Configuring the Identity Firewall

•

If the backslash (\) delimiter is not found in the log in credentials, the ASA does not parse a domain
and authentication is conducted with the AAA server that corresponds to default domain configured
for the Identity Firewall.

•

If a default domain or a server group is not configured for that default domain, the ASA rejects the
authentication.

•

If the domain is not specified, the ASA selects the AAA server group for the default domain that is
configured for the Identity Firewall.

Detailed Steps

To configure the cut-through proxy for the Identity Firewall, perform the following steps:

Examples

Example 1

This example shows a typical cut-through proxy configuration to allow a user to log in through the ASA.
In this example, the following conditions apply:

Command

Purpose

Step 1

hostname(config)# access-list access_list_name

extended

permit tcp any user_ip_address

255.255.255.255 eq http

hostname(config)# access-list access_list_name

extended

permit tcp any user_ip_address

255.255.255.255 eq https

Examples:

hostname(config)# access-list listenerAuth extended

permit tcp any any

Creates an access list that permits traffic from the
users client that uses the HTTP or HTTPS protocol.

Step 2

hostname(config)# aaa authentication listener http

inside

port port

Examples:

hostname(config)# aaa authentication listener http

inside port 8888

Enables HTTP(S) listening ports to authenticate the
user.

Step 3

hostname(config)# access-list access_list_name {deny

| permit} protocol [{user-group

[domain_name\\]user_group_name | user

{[domain_name\\]user_name | any | none} |

object-group-user

object_group_user_name}] {any |

host

sip | sip smask | interface name | object

src_object_name | object-group

network_object_group_name> [eq port | …]

{object-group-user dst_object_group_name | object

dst_object_name host dst_host_name | ip_address}

[object-group service_object_name | eq port | …]

Examples:

hostname(config)# access-list 100 ex deny ip user

CISCO\abc any any

hostname(config)# access-list 100 ex permit ip user

NONE any any

Creates an access control entry that controls access
using user identity or group identity.

See the access-list extended command in the Cisco
ASA 5500 Series Command Reference for a
complete description of the command syntax.

The keywords user-group any and user-group
none can be specified to support cut-through proxy
authentication.

•

any—The access list matches any IP addresses
that has already been associated with any users.

•

none—The access list matches any IP addresses
that has not been associated with any IP address.

Step 4

hostname(config)# aaa authenticate match

access_list_name inside user-identity

Examples:

aaa authenticate match listenerAuth inside

user-identity

Enables authentication for connections through the
ASA and matches it to the Identity Firewall feature.