Someone please breakdown Identity Firewall for me


Hi, in section 6 "perimeter security and services - ASA firewall" of the CCIE security technology workbook, Identity firewall task has me confused.  

what is the purpose of having both an AD and RADIUS aaa-server configured on the ASA?  if the ASA is getting user authentication from AD server, why is RADIUS necessary to an AD-Agent?

The documentation shows this below, but it does not explain the reasoning very well.  in Step 3, it says it uses RADIUS to query the AD-Agent for the user's IP address.  why is that important?

Does Identity Firewall always use ldap and radius?  if so why?  why not?

can identity firewall work with just ldap or just radius?  if so why? why not?


On the ASA : Configure local user groups and Identity Firewall policies.


Client <-> ASA : The client logs onto the network through Microsoft Active Directory. The AD Server authenticates users and generates user logon security logs.

Alternatively, the client can log onto the network through a cut-through proxy or by using VPN.


ASA <-> AD Server : The ASA sends an LDAP query for the Active Directory groups configured on the AD Server.

The ASA consolidates local and Active Directory groups and applies access rules and MPF security policies based on user identity.


ASA <-> Client : Based on the policies configured on the ASA, it grants or denies access to the client.

If configured, the ASA probes the NetBIOS of the client to pass inactive and no-response users.


ASA <-> AD Agent : Depending on the Identity Firewall configuration, the ASA downloads the IP-user database or sends a RADIUS request to the AD Agent querying the user’s IP address.

The ASA forwards the new mappings learned from web authentication and VPN sessions to the AD Agent.


AD Agent <-> AD Server : Periodically or on-demand, the AD Agent monitors the AD Server security event log file via WMI for client login and logoff events.

The AD Agent maintains a cache of user ID and IP address mappings. and notifies the ASA of changes.

The AD Agent sends logs to a syslog server.

Sign In or Register to comment.