39-21
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter 39 Configuring the Identity Firewall
Task Flow for Configuring the Identity Firewall
Step 2 From the Domain field, select the domain of the group or user that you want to add. The domain can be
the local domain or a specific Active Directory domain.
To add a domain for this access rule, click Manage. See Configuring the Active Directory Domain,
page 11.
Step 3 In the User Groups section, enter the group name in the Find field and click Find. To view all the user
groups in that domain, enter an asterisk (*). ASDM warns you that viewing all user groups can take a
long time to display the results, especially if the domain has a large number of groups.
The value you enter in the Find field filters the user groups for that domain.
The group name appears in the User Groups list. To add additional user groups for the Identity Firewall,
see Configuring Local User Groups, page 21.
Step 4 Select the groups that you want to add to the access rule and click Add. The groups appear in the
Selected User Groups and Users list.
Step 5 In the User section, enter the user name in the Find field and click Find. The user name appears in the
Users list.
Step 6 Select the user that you want to add to the access rule and click Add. The user appears in the Selected
User Groups and Users list.
Step 7 To manually enter user names, enter them in the text box and click Add. Separate each user name with
a comma. The user names appear in the Selected User Groups and Users list.
When you enter a user name manually and click Add, the user name appears in the Selected User Groups
and Users list with the default domain, for example default_domain\\sample_user1.
The Selected User Groups and Users list can contain users and user groups from multiple Active
Directory.
Step 8 Click OK to save your changes.
Configuring Local User Groups
The ASA sends an LDAP query to the Active Directory server for user groups globally defined in the
Active Directory domain controller. The ASA imports these groups for the Identity Firewall feature.
However, the ASA might have localized network resources that are not defined globally that require local
user groups with localized security policies.
Local user groups can contain nested groups and user groups that are imported from Active Directory.
The ASA consolidates local and Active Directory groups.
A user can belong to local user groups and user groups imported from Active Directory.
To configure local user groups, perform the following steps:
Step 1 Open the Configuration > Firewall > Objects > Local User Groups pane.
A table of user groups and their members appears.
Step 2 To add a group, click Add. The Add User Object Group dialog appears.