IEOC - INE's Online Community

Welcome to INE's Online Community - IEOC - a place for CCIE and CCENT candidates to connect, share, and learn. Our Online Community features CCIE forums and discussions for all tracks including Routing & Switching, Voice, Security, Service Provider, Wireless,, and Storage. Through these online communities you can discuss your questions with thousands of your peers, hundreds of CCIE's and INE's own team of world renowned CCIE instructors and authors, Brian Dennis - Quintuple CCIE #2210, Brian McGahan – Triple CCIE #8593, Petr Lapukhov - Quad CCIE #16379, and Mark Snow - Dual CCIE #14073.
Latest post 10-22-2015 5:31 PM by Lance. 0 replies.
Page 1 of 1 (1 items)
Sort Posts: Previous Next
  • 10-22-2015 5:31 PM

    Someone please breakdown Identity Firewall for me


    Hi, in section 6 "perimeter security and services - ASA firewall" of the CCIE security technology workbook, Identity firewall task has me confused.  

    what is the purpose of having both an AD and RADIUS aaa-server configured on the ASA?  if the ASA is getting user authentication from AD server, why is RADIUS necessary to an AD-Agent?

    The documentation shows this below, but it does not explain the reasoning very well.  in Step 3, it says it uses RADIUS to query the AD-Agent for the user's IP address.  why is that important?

    Does Identity Firewall always use ldap and radius?  if so why?  why not?

    can identity firewall work with just ldap or just radius?  if so why? why not?


    On the ASA : Configure local user groups and Identity Firewall policies.


    Client <-> ASA : The client logs onto the network through Microsoft Active Directory. The AD Server authenticates users and generates user logon security logs.

    Alternatively, the client can log onto the network through a cut-through proxy or by using VPN.


    ASA <-> AD Server : The ASA sends an LDAP query for the Active Directory groups configured on the AD Server.

    The ASA consolidates local and Active Directory groups and applies access rules and MPF security policies based on user identity.


    ASA <-> Client : Based on the policies configured on the ASA, it grants or denies access to the client.

    If configured, the ASA probes the NetBIOS of the client to pass inactive and no-response users.


    ASA <-> AD Agent : Depending on the Identity Firewall configuration, the ASA downloads the IP-user database or sends a RADIUS request to the AD Agent querying the user’s IP address.

    The ASA forwards the new mappings learned from web authentication and VPN sessions to the AD Agent.


    AD Agent <-> AD Server : Periodically or on-demand, the AD Agent monitors the AD Server security event log file via WMI for client login and logoff events.

    The AD Agent maintains a cache of user ID and IP address mappings. and notifies the ASA of changes.

    The AD Agent sends logs to a syslog server.

    Filed under: , ,
    • Post Points: 5
Page 1 of 1 (1 items)
IEOC CCIE Forums Internetwork Expert CCIE Training
About IEOC | Terms of Use | RSS | Privacy Policy
© 2010 Internetwork Expert, Inc. All Rights Reserved