-
Cisco ASA Series Command Reference
-
About this Guide
-
Using the Command Line Interface
- A through B Commands
-
C Commands
-
cache -- clear compression
-
clear configure -- clear configure http
-
clear configure flow-export-- clear configure zonelabs-integrity
-
clear conn -- clear isakmp sa
-
clear local-host -- clear xlate
-
client-access-rule -- crl-configure
-
crypto ca authenticate -- crypto ipsec ikev1 transform-set mode transport
-
crypto isakmp disconnect-notify -- cxsc auth-proxy port
-
-
D through F Commands
-
database path -- debug cxsc
-
debug dap -- debug http-map
-
debug icmp -- debug ospfv3
-
debug parser cache -- debug xml
-
default -- dhcp-server
-
dhcpd address -- distribute-list out
-
dns domain-lookup -- dynamic-filter whitelist
-
eigrp log-neighbor-changes -- export webvpn webcontent
-
failover -- fallback
-
file-bookmarks -- functions
-
- G through I Commands
- J through L Commands
- M through O Commands
- P through R Commands
-
S Commands
-
same-security-traffic -- shape
-
show aaa kerberos -- show asdm sessions
-
show asp cluster counter -- show asp table vpn-context
-
show blocks -- show cpu
-
show crashinfo -- show curpriv
-
show ddns update interface -- show environment
-
show failover -- show ipsec stats traffic
-
show ipv6 access-list -- show ipv6
-
show isakmp ipsec-over-tcp stats -- show ospf virtual-links
-
show nac-policy -- show ospf virtual-links
-
show pager -- show route
-
show running-config -- show running-config ctl-provider
-
show running-config ddns -- show running-config isakmp
-
show running-config ipv6 router -- show running-config router
-
show running-config same-security-traffic -- show running-config xlate
-
show scansafe -- show switch vlan
-
show tcpstat -- show traffic
-
show uauth -- show xlate
-
shun -- snmp-server user
-
software-version -- storage-objects
-
subject-name -- sysopt radius ignore-secret
-
- T through Z Commands
-
Cisco IOS Commands for the ASASM
-
Feedback
Table Of Contents
uc-ime through username-prompt Commands
url-list (group-policy webvpn)
user-authentication-idle-timeout
user-identity action ad-agent-down
user-identity action domain-controller-down
user-identity action mac-address-mismatch
user-identity action netbios-response-fail
user-identity ad-agent aaa-server
user-identity ad-agent active-user-database
user-identity ad-agent hello-timer
user-identity inactive-user-timer
user-identity poll-import-user-group-timer
user-identity update active-user-database
user-identity update import-user
uc-ime through username-prompt Commands
uc-ime
To create the Cisco Intercompany Media Engine proxy instance, use the uc-ime command in global configuration mode. To remove the proxy instance, use the no form of this command.
uc-ime uc-ime_name
no uc-ime uc-ime_name
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
Configures the Cisco Intercompany Media Engine proxy. Cisco Intercompany Media Engine enables companies to interconnect on-demand, over the Internet with advanced features made available by VoIP technologies. Cisco Intercompany Media Engine allows for business-to-business federation between Cisco Unified Communications Manager clusters in different enterprises by utilizing peer-to-peer, security, and SIP protocols to create dynamic SIP trunks between businesses. A collection of enterprises work together to end up looking like one large business with inter-cluster trunks between them.
You must create the media termination instance before you specify it in the Cisco Intercompany Media Engine proxy.
Only one Cisco Intercompany Media Engine proxy can be configured on the ASA.
Examples
The following example shows how to configure a Cisco Intercompany Media Engine proxy by using the uc-ime command.
hostname(config)#uc-ime local_uc-ime_proxyhostname(config-uc-ime)# media-termination ime-media-termhostname(config-uc-ime)# ucm address 192.168.10.30 trunk-security-mode non-securehostname(config-uc-ime)# ticket epoch 1 password password1234hostname(config-uc-ime)# fallback monitoring timer 120hostname(config-uc-ime)# fallback hold-down timer 30Related Commands
ucm
To configure which Cisco Unified Communication Managers (UCM) that the Cisco Intercompany Media Engine Proxy connects to, use the ucm command in global configuration mode. To remove the the Cisco UCM that are connected to the Cisco Intercompanuy Media Engine Proxy, use the no form of this command.
ucm address ip_address trunk-security-mode {nonsecure | secure}
no ucm address ip_address trunk-security-mode {nonsecure | secure}
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
UC-IME configuration
•
—
•
—
—
Command History
Usage Guidelines
Specifies the Cisco UCM server in the enterprise.
You can enter multiple ucm commands for the Cisco Intercompany Media Engine proxy.
Note
Specifying secure for Cisco UCM or Cisco UCM cluster indicates that Cisco UCM or Cisco UCM cluster is initiating TLS; therefore, you must set up configure TLS for components.
You can specify the secure option in this task or you can update it later while configuring TLS for the enterprise.
TLS within the enterprise refers to the security status of the Cisco Intercompany Media Engine trunk as seen by the adaptive security appliance.
If the transport security for the Cisco Intercompany Media Engine trunk changes on Cisco UCM, it must be changed on the adaptive security appliance as well. A mismatch will result in call failure. The adaptive security appliance does not support SRTP with non-secure IME trunks. The adaptive security appliance assumes SRTP is allowed with secure trunks. So `SRTP Allowed' must be checked for IME trunks if TLS is used. The adaptive security appliance supports SRTP fallback to RTP for secure IME trunk calls.
The proxy sits on the edge of the enterprise and inspects SIP signaling between SIP trunks created between enterprises. It terminates TLS signaling from the Internet and initiates TCP or TLS to Cisco UCM.
Transport Layer Security (TLS) is a cryptographic protocol that provides security for communications over networks such as the Internet. TLS encrypts the segments of network connections at the Transport Layer end-to-end.
This task is not required if TCP is allowable within the inside network.
Key steps for Configuring TLS within the local enterprise:
•
•
•
Authentication via TLS: In order for the ASA to act as a porty on behalf of N enterprises, the Cisco UCMs must be able to accept the one certificate from the ASA. This can be done by associating all the UC-IME SIP trunks with the same SIP security profile containing the same subject name as that of the one presented by the ASA because the Cisco UCM extracts the subject name from the certificate and compares that with the name configured in the security profile.
Examples
The following example shows ...:
hostname(config)#uc-ime local_uc-ime_proxyhostname(config-uc-ime)# media-termination ime-media-termhostname(config-uc-ime)# ucm address 192.168.10.30 trunk-security-mode non-securehostname(config-uc-ime)# ticket epoch 1 password password1234hostname(config-uc-ime)# fallback monitoring timer 120hostname(config-uc-ime)# fallback hold-down timer 30undebug
To disable the display of debugging information in the current session, use the undebug command in privileged EXEC mode.
undebug {command | all}
Syntax Description
command
Disables debug for the specified command. See the Usage Guidelines for information about the supported commands.
all
Disables all debug output.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
•
Command History
Usage Guidelines
The following commands can be used with the undebug command. For more information about debugging a specific command, or for the associated arguments and keywords for a specific debug command, see the entry for the debug command.
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco TAC. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.
Examples
The example disabled all debugging output:
hostname(config)# undebug allRelated Commands
unix-auth-gid
To set the UNIX group ID, use the unix-auth-gid command in group-policy webvpn configuration mode. To remove this command from the configuration, use the no version of this command.
unix-auth-gid identifier
no storage-objects
Syntax Description
Defaults
The default is 65534.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy webvpn configuration mode
•
—
•
—
—
Command History
Usage Guidelines
The string specifies a network file system (NetFS) location. Only SMB and FTP protocols are supported; for example, smb://(NetFS location) or ftp://(NetFS location). You use the name of this location in the storage-objects command.
Examples
The following example sets the UNIX group ID to 4567:
hostname(config)#group-policy test attributeshostname(config-group-policy)#webvpnhostname(config-group-webvpn)#unix-auth-gid 4567Related Commands
unix-auth-uid
To set the UNIX user ID, use the unix-auth-uid command in group-policy webvpn configuration mode. To remove this command from the configuration, use the no version of this command.
unix-auth-gid identifier
no storage-objects
Syntax Description
Defaults
The default is 65534.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy webvpn configuration mode
•
—
•
—
—
Command History
Usage Guidelines
The string specifies a network file system (NetFS) location. Only SMB and FTP protocols are supported; for example, smb://(NetFS location) or ftp://(NetFS location). You use the name of this location in the storage-objects command.
Examples
The following example sets the UNIX user ID to 333:
hostname(config)#group-policy test attributeshostname(config-group-policy)#webvpnhostname(config-group-webvpn)#unix-auth-gid 333Related Commands
upload-max-size
To specify the maximum size allowed for an object to upload, use the upload-max-size command in group-policy webvpn configuration mode. To remove this object from the configuration, use the no version of this command.
upload-max-size size
no upload-max-size
Syntax Description
Defaults
The default size is 2147483647.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy webvpn configuration mode
•
—
•
—
—
Command History
Usage Guidelines
Setting the size to 0 effectively disallows object uploading.
Examples
The following example sets the maximum size for a uploaded object to 1500 bytes:
hostname(config)#group-policy test attributeshostname(config-group-policy)#webvpnhostname(config-group-webvpn)#upload-max-size 1500Related Commands
uri-non-sip
To identify the non-SIP URIs present in the Alert-Info and Call-Info header fields, use the uri-non-sip command in parameters configuration mode. Parameters configuration mode is accessible from policy map configuration mode. To disable this feature, use the no form of this command.
uri-non-sip action {mask | log} [log}
no uri-non-sip action {mask | log} [log}
Syntax Description
Defaults
This command is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Parameters configuration
•
•
•
•
—
Command History
Examples
The following example shows how to identify the non-SIP URIs present in the Alert-Info and Call-Info header fields in a SIP inspection policy map:
hostname(config)# policy-map type inspect sip sip_maphostname(config-pmap)# parametershostname(config-pmap-p)# uri-non-sip action logRelated Commands
url
To maintain the list of static URLs for retrieving CRLs, use the url command in crl configure configuration mode. The crl configure configuration mode is accessible from the crypto ca trustpoint configuration mode. To delete an existing URL, use the no form of this command.
url index url
no url index url
Syntax Description
index
Specifies a value from 1 to 5 that determines the rank of each URL in the list. The ASA tries the URL at index 1 first.
url
Specifies the URL from which to retrieve the CRL.
Defaults
No default behaviors or values.
Command Modes
The following table shows the modes in which you can enter the command:
Crl configure configuration
•
—
•
—
—
Command History
Usage Guidelines
You cannot overwrite existing URLs. To replace an existing URL, first delete it using the no form of this command.
Examples
The following example enters ca-crl configuration mode, and sets up an index 3 for creating and maintaining a list of URLs for CRL retrieval and configures the URL https://example.com from which to retrieve CRLs:
hostname(configure)# crypto ca trustpoint centralhostname(ca-trustpoint)# crl configurehostname(ca-crl)# url 3 https://example.comhostname(ca-crl)#Related Commands
crl configure
Enters ca-crl configuration mode.
crypto ca trustpoint
Enters trustpoint configuration mode.
policy
Specifies the source for retrieving CRLs.
url-block
To manage the URL buffers used for web server responses while waiting for a filtering decision from the filtering server, use the url-block command. To remove the configuration, use the no form of this command.
url-block block block_buffer
no url-block block block_buffer
url-block mempool-size memory_pool_size
no url-block mempool-size memory_pool_size
url-block url-size long_url_size
no url-block url-size long_url_size
Syntax Description
Defaults
This command is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
•
Command History
Usage Guidelines
For Websense filtering servers, the url-block url-size command allows filtering of long URLs, up to 4 KB. For Secure Computing, the url-block url-size command allows filtering of long URLs, up to 3 KB. For both Websense and N2H2 filtering servers, the url-block block command causes the ASA to buffer packets received from a web server in response to a web client request while waiting for a response from the URL filtering server. This improves performance for the web client compared to the default ASA behavior, which is to drop the packets and to require the web server to retransmit the packets if the connection is permitted.
If you use the url-block block command and the filtering server permits the connection, the ASA sends the blocks to the web client from the HTTP response buffer and removes the blocks from the buffer. If the filtering server denies the connection, the ASA sends a deny message to the web client and removes the blocks from the HTTP response buffer.
Use the url-block block command to specify the number of blocks to use for buffering web server responses while waiting for a filtering decision from the filtering server.
Use the url-block url-size command with the url-block mempool-size command to specify the maximum length of a URL to be filtered and the maximum memory to assign to the URL buffer. Use these commands to pass URLs longer than 1159 bytes, up to a maximum of 4096 bytes, to the Websense or Secure-Computing server. The url-block url-size command stores URLs longer than 1159 bytes in a buffer and then passes the URL to the Websense or Secure-Computing server (through a TCP packet stream) so that the Websense or Secure-Computing server can grant or deny access to that URL.
Examples
The following example assigns 56 1550-byte blocks for buffering responses from the URL filtering server:
hostname#(config)# url-block block 56Related Commands
url-cache
To enable URL caching for URL responses received from a Websense server and to set the size of the cache, use the url-cache command in global configuration mode. To remove the configuration, use the no form of this command.
url-cache { dst | src_dst } kbytes [ kb ]
no url-cache { dst | src_dst } kbytes [ kb ]
Syntax Description
Defaults
This command is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
•
Command History
Usage Guidelines
The url-cache command provides a configuration option to cache responses from the URL server.
Use the url-cache command to enable URL caching, set the size of the cache, and display cache statistics.
Note
Caching stores URL access privileges in memory on the ASA. When a host requests a connection, the ASA first looks in the URL cache for matching access privileges instead of forwarding the request to the Websense server. Disable caching with the no url-cache command.
Note
Using the URL cache does not update the Websense accounting logs for Websense protocol Version 1. If you are using Websense protocol Version 1, let Websense run to accumulate logs so you can view the Websense accounting information. After you get a usage profile that meets your security needs, enable url-cache to increase throughput. Accounting logs are updated for Websense protocol Version 4 URL filtering while using the url-cache command.
Examples
The following example caches all outbound HTTP connections based on the source and destination addresses:
hostname(config)# url-cache src_dst 128Related Commands
url-entry
To enable or disable the ability to enter any HTTP/HTTPS URL on the portal page, use the url-entry command in dap webvpn configuration mode.
url-entry enable | disable
Defaults
No default value or behaviors.
Command Modes
The following table shows the modes in which you can enter the command:
Dap webvpn configuration
•
•
•
—
—
Command History
Examples
The following example shows how to enable URL entryfor the DAP record called Finance:
hostname (config) config-dynamic-access-policy-recordFinancehostname(config-dynamic-access-policy-record)#webvpnhostname(config-dynamic-access-policy-record)#url-entry enableRelated Commands
dynamic-access-policy-record
Creates a DAP record.
file-entry
Enables or disables the ability to enter file server names to access.
url-length-limit
To configure the maximum length of the URL allowed in the RTSP message, use the url-length-limit command in parameters configuration mode. Parameters configuration mode is accessible from policy map configuration mode. To disable this feature, use the no form of this command.
url-length-limit length
no url-length-limit length
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Parameters configuration
•
•
•
•
—
Command History
Examples
The following example shows how to configure the URL length limit in an RTSP inspection policy map:
hostname(config)# policy-map type inspect rtsp rtsp_maphostname(config-pmap)# parametershostname(config-pmap-p)# url-length-limit 50Related Commands
url-list (removed)
You can no longer use this command to define URl lists for access over SSL VPN connections. Now use the import command to import the XML object that defines a URL list. See the import- and export-url-list commands for more information.
Defaults
There is no default URL list.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration mode
•
—
•
—
—
Command History
Usage Guidelines
You use the url-list command in global configuration mode to create one or more lists of URLs. To allow access to the URLs in a list for a specific group policy or user, use the listname you create here with the url-list command in webvpn mode.
Examples
The following example shows how to create a URL list called Marketing URLs that provides access to www.cisco.com, www.example.com, and www.example.org. The following table provides values that the example uses for each application.
Marketing URLs
Cisco Systems
http://www.cisco.com
Marketing URLs
Example Company, Inc.
http://www.example.com
Marketing URLs
Example Organization
http://www.example.org
hostname(config)#url-list Marketing URLs Cisco Systems http://www.cisco.comhostname(config)#url-list Marketing URLs Example Company, Inc. http://www.example.comhostname(config)#url-list Marketing URLs Example Organization http://www.example.orgRelated Commands
url-list (group-policy webvpn)
To apply a list of WebVPN servers and URLs to a particular user or group policy, use the url-list command in group-policy webvpn configuration mode or in username webvpn configuration mode. To remove a list, including a null value created by using the url-list none command, use the no form of this command. The no option allows inheritance of a value from another group policy. To prevent inheriting a url list, use the url-list none command. Using the command a second time overrides the previous setting.
url-list {value name | none} [index]
no url-list
Syntax Description
Defaults
There is no default URL list.
Command Modes
The following table shows the modes in which you enter the commands:
Group-policy webvpn confguration
•
—
•
—
—
Username configuration
•
—
•
—
—
Command History
Usage Guidelines
Using the command a second time overrides the previous setting.
Before you can use the url-list command in webvpn mode to identify a URL list that you want to display on the WebVPN home page for a user or group policy, you must create the list via an XML object. Use the import command in global configuration mode to download a URL list to the security appliance. Then use the url-list command to apply a list to a particular group policy or user.
Examples
The following example applies a URL list called FirstGroupURLs for the group policy named FirstGroup and assigns it first place among the URL lists:
hostname(config)#group-policy FirstGroup attributeshostname(config-group-policy)#webvpnhostname(config-group-webvpn)# url-list value FirstGroupURLs 1Related Commands
url-server
To identify an N2H2 or Websense server for use with the filter command, use the url-server command in global configuration mode. To remove the configuration, use the no form of this command.
N2H2
url-server [(if_name)] vendor {smartfilter | n2h2} host local_ip [port number] [timeout seconds] [protocol {TCP [connections number]} | UDP]
no url-server [(if_name)] vendor {smartfilter | n2h2} host local_ip [port number] [timeout seconds] [protocol {TCP [connections number]} | UDP]
Websense
url-server (if_name) vendor websense host local_ip [timeout seconds] [protocol {TCP | UDP | connections num_conns] | version]
no url-server (if_name) vendor websense host local_ip [timeout seconds] [protocol {TCP | UDP [connections num_conns] | version]
Syntax Description
N2H2
Websense
Defaults
This command is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
Command History
Usage Guidelines
The url-server command designates the server running the N2H2 or Websense URL filtering application. The limit is 16 URL servers in single context mode and 4 URL servers in multi mode; however, and you can use only one application at a time, either N2H2 or Websense. Additionally, changing your configuration on the ASA does not update the configuration on the application server; this must be done separately, according to the vendor instructions.
The url-server command must be configured before issuing the filter command for HTTPS and FTP. If all URL servers are removed from the server list, then all filter commands related to URL filtering are also removed.
Once you designate the server, enable the URL filtering service with the filter url command.
Use the show url-server statistics command to view server statistic information including unreachable servers.
Follow these steps to filter URLs:
Step 1
Step 2
Step 3
Step 4
Step 5
For more information about filtering by N2H2, visit N2H2's website at:
http://www.n2h2.com
For more information about Websense filtering services, visit the following website:
http://www.websense.com/
Examples
Using N2H2, the following example filters all outbound HTTP connections except those from the 10.0.2.54 host:
hostname(config)# url-server (perimeter) vendor n2h2 host 10.0.1.1hostname(config)# filter url http 0 0 0 0hostname(config)# filter url except 10.0.2.54 255.255.255.255 0 0Using Websense, the following example filters all outbound HTTP connections except those from the 10.0.2.54 host:
hostname(config)# url-server (perimeter) vendor websense host 10.0.1.1 protocol TCP version 4hostname(config)# filter url http 0 0 0 0hostname(config)# filter url except 10.0.2.54 255.255.255.255 0 0Related Commands
urgent-flag
To allow or clear the URG pointer through the TCP normalizer, use the urgent-flag command in tcp-map configuration mode. To remove this specification, use the no form of this command.
urgent-flag {allow | clear}
no urgent-flag {allow | clear}
Syntax Description
allow
Allows the URG pointer through the TCP normalizer.
clear
Clears the URG pointer through the TCP normalizer.
Defaults
The urgent flag and urgent offset are clear by default.
Command Modes
The following table shows the modes in which you can enter the command:
Tcp-map configuration
•
•
•
•
—
Command History
Usage Guidelines
The tcp-map command is used along with the Modular Policy Framework infrastructure. Define the class of traffic using the class-map command and customize the TCP inspection with tcp-map commands. Apply the newTCP map using the policy-map command. Activate TCP inspection with service-policy commands.
Use the tcp-map command to enter tcp-map configuration mode. Use the urgent-flag command in tcp-map configuration mode to allow the urgent flag.
The URG flag is used to indicate that the packet contains information that is of higher priority than other data within the stream. The TCP RFC is vague about the exact interpretation of the URG flag, therefore, end systems handle urgent offsets in different ways, which may make the end system vulnerable to attacks. The default behavior is to clear the URG flag and offset.
Examples
The following example shows how to allow the urgent flag:
hostname(config)# tcp-map tmaphostname(config-tcp-map)# urgent-flag allowhostname(config)# class-map cmaphostname(config-cmap)# match port tcp eq 513hostname(config)# policy-map pmaphostname(config-pmap)# class cmaphostname(config-pmap)# set connection advanced-options tmaphostname(config)# service-policy pmap globalRelated Commands
user
To create a user in a user group object that supports the Identity Firewall feature, use the user command in the user-group object configuration mode. Use the no form of this command to remove the user. from the object.
user [domain_nickname\]user_name
[no] user [domain_nickname\]user_name
Syntax Description
Defaults
If you do not specify the domain_nickname argument, the user is created in the LOCAL domain configured for the Identity Firewall feature.
Command Modes
The following table shows the modes in which you can enter the command:
Object-group user configuration
•
•
•
•
—
Command History
Usage Guidelines
The ASA sends an LDAP query to the Active Directory server for user groups globally defined in the Active Directory domain controller. The ASA imports these groups for the Identity Firewall feature. However, the ASA might have localized network resources that are not defined globally that require local user groups with localized security policies. Local user groups can contain nested groups and user groups that are imported from Active Directory. The ASA consolidates local and Active Directory groups. A user can belong to local user groups and user groups imported from Active Directory.
The ASA supports up to 256 user groups (including imported user groups and local user groups).
You active user group objects by including them within an access group, capture, or service policy.
Within a user group object, you can define the following object types:
•
The name of an imported user must be the sAMAccountName, which is unique, rather than the common name (cn), which might not be unique. However, some Active Directory server administrators might require that the sAMAccountName and the cn be identical. In this case, the cn that the ASA displays in the output of the show user-identity ad-group-member command can be used for imported users defined by the user object.
•
The group name of the user-group must be the sAMAccountName, which is unique, rather than the cn, which might not be unique. However, some Active Directory server administrators might require that the sAMAccountName and the cn be identical. In this case, the cn that the ASA displays in the output of the show user-identity ad-group-member command can be used in the user_group_name argument specified with the user-group keyword.
Note
•
Note
•
Examples
The following example shows how to use the user command with the user-group object command to add a user in a user group object for use with the Identity Firewall feature:
hostname(config)# object-group user sampleuser1-grouphostname(config-object-group user)# description group members of sampleuser1-grouphostname(config-object-group user)# user-group CSCO\\group.sampleusers-allhostname(config-object-group user)# user CSCO\user2hostname(config-object-group user)# exithostname(config)# object-group user sampleuser2-grouphostname(config-object-group user)# description group members of sampleuser2-grouphostname(config-object-group user)# group-object sampleuser1-grouphostname(config-object-group user)# user-group CSCO\\group.sampleusers-marketinghostname(config-object-group user)# user CSCO\user3Related Commands
user-alert
To enable broadcast of an urgent message to all clientless SSL VPN users with currently active session, use the user-alert command in privileged EXEC mode. To disable the message, use the no form of this command.
user-alert string cancel
no user-alert
Syntax Description
Defaults
No message.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
—
•
—
—
Command History
Usage Guidelines
When you issue this command, end users see a pop-up browser window with the configured message. This command causes no change in the ASA configuration file.
Examples
The following example shows how to enable DAP trace debugging:
hostname #We will reboot the security appliance at 11:00 p.m. EST time. We apologize for any inconvenience.hostname #user-authentication
To enable user authentication, use the user-authentication enable command in group-policy configuration mode. To disable user authentication, use the user-authentication disable command. To remove the user authentication attribute from the running configuration, use the no form of this command. This option allows inheritance of a value for user authentication from another group policy.
When enabled, user authentication requires that individual users behind a hardware client authenticate to gain access to the network across the tunnel.
user-authentication {enable | disable}
no user-authentication
Syntax Description
Defaults
User authentication is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy configuration
•
—
•
—
—
Command History
Usage Guidelines
Individual users authenticate according to the order of authentication servers that you configure.
If you require user authentication on the primary ASA, be sure to configure it on any backup servers as well.
Examples
The following example shows how to enable user authentication for the group policy named "FirstGroup":
hostname(config)#group-policy FirstGroup attributeshostname(config-group-policy)#user-authentication enableRelated Commands
user-authentication-idle-timeout
To set an idle timeout for individual users behind hardware clients, use the user-authentication-idle-timeout command in group-policy configuration mode. To delete the idle timeout value, use the no form of this command. This option allows inheritance of an idle timeout value from another group policy. To prevent inheriting an idle timeout value, use the user-authentication-idle-timeout none command.
If there is no communication activity by a user behind a hardware client in the idle timeout period, the ASA terminates the connection.
user-authentication-idle-timeout {minutes | none}
no user-authentication-idle-timeout
Syntax Description
Defaults
30 minutes.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy configuration
•
—
•
—
—
Command History
Usage Guidelines
The minimum is 1 minute, the default is 30 minutes, and the maximum is 10,080 minutes.
This timer terminates only the client's access through the VPN tunnel, not the VPN tunnel itself.
The idle timeout indicated in response to the show uauth command is always the idle timeout value of the user who authenticated the tunnel on the Cisco Easy VPN remote device.
Examples
The following example shows how to set an idle timeout value of 45 minutes for the group policy named "FirstGroup":
hostname(config)#group-policy FirstGroup attributeshostname(config-group-policy)#user-authentication-idle-timeout 45Related Commands
user-authentication
Requires users behind hardware clients to identify themselves to the ASA before connecting.
user-group
To add a user group imported from Microsoft Active Directory to the group created with the object-group user command for use with the Identity Firewall feature, use the user-group command in the user-group object configuration mode. Use the no form of this command to remove the user group from the object.
user-group [domain_nickname\]user_group_name
[no] user-group [domain_nickname\]user_group_name
Syntax Description
Defaults
If you do not specify the domain_nickname argument, the user group is created in the LOCAL domain configured for the Identity Firewall feature.
Command Modes
The following table shows the modes in which you can enter the command:
Object-group user configuration
•
•
•
•
—
Command History
Usage Guidelines
The ASA sends an LDAP query to the Active Directory server for user groups globally defined in the Active Directory domain controller. The ASA imports these groups for the Identity Firewall feature. However, the ASA might have localized network resources that are not defined globally that require local user groups with localized security policies. Local user groups can contain nested groups and user groups that are imported from Active Directory. The ASA consolidates local and Active Directory groups. A user can belong to local user groups and user groups imported from Active Directory.
The ASA supports up to 256 user groups (including imported user groups and local user groups).
You activate user group objects by including them within an access group, capture, or service policy.
Within a user group object, you can define the following object types:
•
The name of an imported user must be the sAMAccountName, which is unique, rather than the common name (cn), which might not be unique. However, some Active Directory server administrators might require that the sAMAccountName and the cn be identical. In this case, the cn that the ASA displays in the output of the show user-identity ad-group-member command can be used for imported users defined by the user object.
•
The group name of the user group must be the sAMAccountName, which is unique, rather than the cn, which might not be unique. However, some Active Directory server administrators might require that the sAMAccountName and the cn be identical. In this case, the cn that the ASA displays in the output of the show user-identity ad-group-member command can be used in the user_group_name argument specified with the user-group keyword.
Note
•
Note
•
Examples
The following example shows how to use the user-group command with the user-group object command to add a user group in a user group object for use with the Identity Firewall feature:
hostname(config)# object-group user sampleuser1-grouphostname(config-object-group user)# description group members of sampleuser1-grouphostname(config-object-group user)# user-group CSCO\\group.sampleusers-allhostname(config-object-group user)# user CSCO\user2hostname(config-object-group user)# exithostname(config)# object-group user sampleuser2-grouphostname(config-object-group user)# description group members of sampleuser2-grouphostname(config-object-group user)# group-object sampleuser1-grouphostname(config-object-group user)# user-group CSCO\\group.sampleusers-marketinghostname(config-object-group user)# user CSCO\user3Related Commands
user-identity action ad-agent-down
To set the action for the Cisco Identify Firewall instance when the Active Directory Agent is unresponsive, use the user-identity action ad-agent-down command in global configuration mode. To remove this action for the Identity Firewall instance, use the no form of this command.
user-identity action ad-agent-down disable-user-identity-rule
no user-identity action ad-agent-down disable-user-identity-rule
Syntax Description
This command has no arguments or keywords.
Defaults
By default, this command is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
—
Command History
Usage Guidelines
Specifies the action when the AD Agent is not responding.
When the AD Agent is down and the user-identity action ad-agent-down command is configured, the ASA disables the user identity rules associated with the users in that domain. Additionally, the status of all user IP addresses in that domain are marked as disabled in the output displayed by the show user-identity user command.
Examples
The following example shows how to enable this action for the Identity Firewall:
hostname(config)#user-identity action ad-agent-down disable-user-identity-ruleRelated Commands
clear configure user-identity
Clears the configuration for the Identity Firewall feature.
user-identity action domain-controller-down
To set the action for the Cisco Identify Firewall instance when the Active Directory domain controller is down, use the user-identity action domain-controller-down command in global configuration mode. To remove the action, use the no form of this command.
user-identity action domain-controller-down domain_nickname disable-user-identity-rule
no user-identity action domain-controller-down domain_nickname disable-user-identity-rule
Syntax Description
Defaults
By default, this command is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
—
Command History
Usage Guidelines
Specifies the action when the domain is down because Active Directory domain controller is not responding.
When the domain is down and the disable-user-identity-rule keyword is configured, the ASA disables the user identity-IP address mapping for that domain. Additionally, the status of all user IP addresses in that domain are marked as disabled in the output displayed by the show user-identity user command.
Examples
The following example shows how to configure this action for the Identity Firewall:
hostname(config)# user-identity action domain-controller-down SAMPLE disable-user-identity-ruleRelated Commands
clear configure user-identity
Clears the configuration for the Identity Firewall feature.
user-identity action mac-address-mismatch
To set the action for the Cisco Identify Firewall instance when a user's MAC address is found to be inconsistent with the ASA device IP address, use the user-identity action mac-address mismatch command in global configuration mode. To remove the action, use the no form of this command.
user-identity action mac-address mismatch remove-user-ip
no user-identity action mac-address mismatch remove-user-ip
Syntax Description
This command has no arguments or keywords.
Defaults
By default, the ASA uses remove-user-ip when this command is specified.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
—
Command History
Usage Guidelines
Specifies the action when a user's MAC address is found to be inconsistent with the ASA device IP address currently mapped to that MAC address. The action is to disable the effect of user identity rules.
When the user-identity action mac-address-mismatch command is configured, the ASA removes the user identity-IP address mapping for that client.
Examples
The following example shows how to configure the Identity Firewall:
hostname(config)#user-identity action mac-address-mismatch remove-user-ipRelated Commands
clear configure user-identity
Clears the configuration for the Identity Firewall feature.
user-identity action netbios-response-fail
To set the action when a client does not respond to a NetBIOS probe for the Cisco Identify Firewall instance, use the user-identity action netbios-response-fail command in global configuration mode. To remove the action, use the no form of this command.
user-identity action netbios-response-fail remove-user-ip
no user-identity action netbios-response-fail remove-user-ip
Syntax Description
This command has no arguments or keywords.
Defaults
By default, this command is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
—
Command History
Usage Guidelines
Specifies the action when a client does not respond to a NetBIOS probe. For example, the network connection might be blocked to that client or the client is not active.
When the user-identity action remove-user-ip command is configured, the ASA removed the user identity-IP address mapping for that client.
Examples
The following example shows how to configure the Identity Firewall:
hostname(config)#user-identity action netbios-response-fail remove-user-ipRelated Commands
clear configure user-identity
Clears the configuration for the Identity Firewall feature.
user-identity ad-agent aaa-server
To define the server group of the AD Agent for the Cisco Identify Firewall instance, use the user-identity ad-agent aaa-server command in AAA server host configuration mode. To remove the action, use the no form of this command.
user-identity user-identity ad-agent aaa-server aaa_server_group_tag
no user-identity user-identity ad-agent aaa-server aaa_server_group_tag
Syntax Description
Defaults
This command has no defaults.
Command Modes
The following table shows the modes in which you can enter the command:
Aaa server host configuration
•
•
•
—
—
Command History
Usage Guidelines
The first server defined in aaa_server_group_tag variable is the primary AD Agent and the second server defined is the secondary AD Agent.
The Identity Firewall supports defining only two AD Agent hosts.
When the ASA detects that the primary AD Agent is down and a secondary agent is specified, it switches to secondary AD Agent. The AAA server for the AD agent uses RADIUS as the communication protocol, and should specify the key attribute for the shared secret between the ASA and AD Agent.
Examples
The following example shows how to define the AD Agent AAA server host for the Identity Firewall:
hostname(config-aaa-server-hostkey)# user-identity ad-agent aaa-server adagentRelated Commands
clear configure user-identity
Clears the configuration for the Identity Firewall feature.
user-identity ad-agent active-user-database
To define how the ASA retrieves the user identity-IP address mapping information from the AD Agent for the Cisco Identify Firewall instance, use the user-identity action netbios-response-fail command in global configuration mode. To remove the configuration, use the no form of this command.
user-identity ad-agent active-user-database {on-demand|full-download}
no user-identity ad-agent active-user-database {on-demand|full-download}
Syntax Description
This command has no arguments or keywords.
Defaults
By default, the ASA 5505 uses the on-demand option. The other ASA platforms use the full-download option.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
—
Command History
Usage Guidelines
Defines how the ASA retrieves the user identity-IP address mapping information from the AD Agent:
•
•
By default, the ASA 5505 uses the on-demand option. The other ASA platforms use the full-download option.
Full downloads are event driven, meaning that subsequent requests to download the database, send just the updates to the user identity-IP address mapping database.
When the ASA registers a change request with the AD Agent, the AD Agent sends a new event to the ASA.
Examples
The following example shows how to configure this option for the Identity Firewall:
hostname(config)# user-identity ad-agent active-user-database full-downloadRelated Commands
clear configure user-identity
Clears the configuration for the Identity Firewall feature.
user-identity ad-agent hello-timer
To define the timer between the ASA and the AD Agent for the Cisco Identify Firewall instance, use the user-identity ad-agent hello-timer command in global configuration mode. To remove the configuration, use the no form of this command.
user-identity ad-agent hello-timer seconds seconds retry-times number
no user-identity ad-agent hello-timer seconds seconds retry-times number
Syntax Description
number
Specifies the number of times to retry the timer.
seconds
Specifies the length of time for the timer.
Defaults
By default, the hello timer is set to 30 seconds and 5 retries.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
—
Command History
Usage Guidelines
Defines the hello timer between the ASA and the AD Agent.
The hello timer between the ASA and the AD Agent defines how frequently the ASA exchanges hello packets. The ASA uses the hello packet to obtain ASA replication status (in-sync or out-of-sync) and domain status (up or down). If the ASA does not receive a response from the AD Agent, it resends a hello packet after the specified interval.
By default, the hello timer is set to 30 seconds and 5 retries.
Examples
The following example shows how to configure this option for the Identity Firewall:
hostname(config)# user-identity ad-agent hello-timer seconds 20 retry-times 3Related Commands
clear configure user-identity
Clears the configuration for the Identity Firewall feature.
user-identity default-domain
To specify the default domain for the Cisco Identify Firewall instance, use the user-identity default-domain command in global configuration mode. To remove the default domain, use the no form of this command.
user-identity default-domain domain_NetBIOS_name
no user-identity default-domain domain_NetBIOS_name
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
—
Command History
Usage Guidelines
For domain_NetBIOS_name, enter a name up to 32 characters consisting of [a-z], [A-Z], [0-9], [!@#$%^&()-_=+[]{};,.] except '.' and ' ' at the first character. If the domain name contains a space, enclose the entire name in quotation marks. The domain name is not case sensitive.
The default domain is used for all users and user groups when a domain has not been explicitly configured for those users or groups. When a default domain is not specified, the default domain for users and groups is LOCAL. For multiple context mode, you can set a default domain name for each context, as well as within the system execution space.
Note
The Identity Firewall uses the LOCAL domain for all locally defined user groups or locally defined users. Users logging in through a web portal (cut-through proxy) are designated as belonging to the Active Directory domain with which they authenticated. Users logging in through a VPN are designated as belonging to the LOCAL domain unless the VPN is authenticated by LDAP with Active Directory, so that the Identity Firewall can associate the users with their Active Directory domain.
Examples
The following example shows how to configure the default domain for the Identity Firewall:
hostname(config)# user-identity default-domain SAMPLERelated Commands
clear configure user-identity
Clears the configuration for the Identity Firewall feature.
user-identity domain
To associate the domain for the Cisco Identify Firewall instance, use the user-identity domain command in global configuration mode. To remove the domain association, use the no form of this command.
user-identity domain domain_nickname aaa-server aaa_server_group_tag
no user-identity domain_nickname aaa-server aaa_server_group_tag
Syntax Description
domain_nickname
Specifies the domain name for the Identity Firewall.
aaa_server_group_tag
Specifies the AAA server group associated with the Identity Firewall.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
—
Command History
Usage Guidelines
Associates the LDAP parameters defined for the AAA server for importing user group queries with the domain name.
For domain_nickname, enter a name up to 32 characters consisting of [a-z], [A-Z], [0-9], [!@#$%^&()-_=+[]{};,.] except '.' and ' ' at the first character. If the domain name contains a space, you must enclose that space character in quotation marks. The domain name is not case sensitive.
Examples
The following example shows how to associate the domain for the Identity Firewall:
hostname(config)# user-identity domain SAMPLE aaa-server dsRelated Commands
clear configure user-identity
Clears the configuration for the Identity Firewall feature.
user-identity enable
To create the Cisco Identify Firewall instance, use the user-identity enable command in global configuration mode. To disable the Identity Firewall instance, use the no form of this command.
user-identity enable
no user-identity enable
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
—
Command History
Usage Guidelines
No usage guidelines.
Examples
The following example shows how to enable the Identity Firewall:
hostname(config)#user-identity enableRelated Commands
clear configure user-identity
Clears the configuration for the Identity Firewall feature.
user-identity inactive-user-timer
To specify the amount of time before a user is considered idle for the Cisco Identify Firewall instance, use the user-identity inactive-user-timer command in global configuration mode. To remove the timer, use the no form of this command.
user-identity inactive-user-timer minutes minutes
no user-identity inactive-user-timer minutes minutes
Syntax Description
minutes
Specifies the amount of time in minutes before a user is considered idle, meaning the ASA has not received traffic from the user's IP address for the specified amount of time.
Defaults
By default, the idle timeout is set to 60 minutes.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
—
Command History
Usage Guidelines
When the timer expires, the user's IP address is marked as inactive and removed from the local cached user identity-IP address mapping database and the ASA no longer notifies the AD Agent about that IP address removal. Existing traffic is still allowed to pass. When this command is specified, the ASA runs an inactive timer even when the NetBIOS Logout Probe is configured.
Note
Examples
The following example shows how to configure the Identity Firewall:
hostname(config)# user-identity inactive-user-timer minutes 120Related Commands
clear configure user-identity
Clears the configuration for the Identity Firewall feature.
user-identity logout-probe
To enable NetBIOS probing for the Cisco Identify Firewall instance, use the user-identity logout-probe command in global configuration mode. To remove the disable probing, use the no form of this command.
user-identity logout-probe netbios local-system probe-time minutes minutes retry-interval seconds seconds retry-count times [user-not-needed | match-any | exact-match]
no user-identity logout-probe netbios local-system probe-time minutes minutes retry-interval seconds seconds retry-count times [user-not-needed | match-any | exact-match]
Syntax Description
minutes
Specifies the number of minutes between probes.
seconds
Specifies the length of time for the retry interval.
times
Specifies the number of times to retry the probe.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
—
Command History
Usage Guidelines
To minimize the NetBIOS packets, the ASA only sends a NetBIOS probe to a client when the user has been idle for more than the specified number of minutes.
Set the NetBIOS probe timer from1 to 65535 minutes and the retry interval from 1 to 256 retries. Specify the number of times to retry the probe:
•
•
•
The Identity Firewall only performs NetBIOS probing for those users identities that are in the active state and exist in at least one security policy. The ASA does not perform NetBIOS probing for clients where the users logged in through cut-through proxy or by using VPN.
Examples
The following example shows how to configure the Identity Firewall:
hostname(config)# user-identity logout-probe netbios local-system probe-time minutes 10 retry-interval seconds 10 retry-count 2 user-not-neededRelated Commands
clear configure user-identity
Clears the configuration for the Identity Firewall feature.
user-identity monitor
For Cloud Web Security, to download the specified user or group information from the AD agent, use the user-identity monitor command in global configuration mode. To stop monitoring, use the no form of this command.
user-identity monitor {user-group [domain-name\\]group-name | object-group-user object-group-name}
no user-identity monitor {user-group [domain-name\\]group-name | object-group-user object-group-name}
Syntax Description
Command Default
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
When you use the Identity Firewall feature, the ASA only downloads user identity information from the AD server for users and groups included in active ACLs; the ACL must be used in a feature such as an access rule, AAA rule, service policy rule, or other feature to be considered active. Because Cloud Web Security can base its policy on user identity, you may need to download groups that are not part of an active ACL to get full Identity Firewall coverage for all your users. For example, although you can configure your Cloud Web Security service policy rule to use an ACL with users and groups, thus activating any relevant groups, it is not required; you could use an ACL based entirely on IP addresses. The user identity monitor feature lets you download group information directly from the AD Agent.
The ASA can only monitor a maximum of 512 groups, including those configured for the user identity monitor and those monitored through active ACLs.
Examples
The following example monitors the CISCO\\Engineering usergroup:
hostname(config)# user-identity monitor user-group CISCO\\Engineering
Related Commands
user-identity poll-import-user-group-timer
To specify the amount of time before the ASA queries the Active Directory server for user group information for the Cisco Identify Firewall instance, use the user-identity poll-import-user-group-timer command in global configuration mode. To remove the timer, use the no form of this command.
user-identity poll-import-user-group-timer hours hours
no user-identity poll-import-user-group-timer hours hours
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
—
Command History
Usage Guidelines
Specifies the amount of time before the ASA queries the Active Directory server for user group information.
If a user is added to or deleted from to an Active Directory group, the ASA received the updated user group after import group timer runs.
By default, the poll timer is 8 hours.
To immediately update user group information, enter the user-identity update import-user command:
Examples
The following example shows how to configure the Identity Firewall:
hostname(config)# user-identity poll-import-user-group-timer hours 1Related Commands
clear configure user-identity
Clears the configuration for the Identity Firewall feature.
user-identity static user
To create a new user-IP address mapping or set a user's IP address to inactive for the Cisco Identify Firewall feature, use the user-identity static user command in global configuration mode. To remove this configuration for the Identity Firewall, use the no form of this command.
user-identity static user [domain\] user_name host_ip
no user-identity static user [domain\] user_name host_ip
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
—
Command History
Usage Guidelines
There are no usage guidelines for this command.
Examples
The following example shows how to enable this action for the Identity Firewall:
hostname(config)#user-identity static user SAMPLE\user1 192.168.1.101Related Commands
clear configure user-identity
Clears the configuration for the Identity Firewall feature.
user-identity update active-user-database
To download the entire active-user database from the Active Directory Agent, use the user-identity update active-user-database command in global configuration mode.
user-identity update active-user-database [timeout minutes minutes]
Syntax Description
Defaults
The default timeout is 5 minutes.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
—
Command History
Usage Guidelines
This command downloads the entire active-user database from Active Directory Agent.
This command starts the update operation, generates a starting update log and returns immediately. When the update operation finishes or is aborted at timer expiration, another syslog message is generated. Only one outstanding update operation is allowed. Rerunning the command displays an error message.
When the command finishes running, the ASA displays [Done] at the command prompt then generates a syslog message.
Examples
The following example shows how to enable this action for the Identity Firewall:
hostname# user-identity update active-user-databaseERROR: one update active-user-database operation is already in progress[Done] user-identity update active-user-databaseRelated Commands
clear configure user-identity
Clears the configuration for the Identity Firewall feature.
user-identity update import-user
To download the entire active user database from the Active Directory Agent, use the user-identity update active-user-database command in global configuration mode.
user-identity update import-user [[domain_nickname\\] user_group_name [timeout seconds seconds]]
Syntax Description
Defaults
The ASA retries the update up to 5 times and generates warning messages as necessary.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
—
Command History
Usage Guidelines
This command updates the specified import user group database by querying the Active Directory server immediately without waiting for the expiration of the poll import user group timer. There is no command to update the local user group, because the group ID database is updated whenever the local user group has a configuration change.
This command does not block the console to wait for the return of the LDAP query.
This command starts the update operation, generates a starting update log and returns immediately. When the update operation finishes or is aborted at timer expiration, another syslog message is generated. Only one outstanding update operation is allowed. Rerunning the command displays an error message.
If the LDAP query is successful, the ASA stores retrieved user data in the local database and changes the user/group association accordingly. If the update operation is successful, you can run the show user-identity user-of-group domain\\group command to list all stored users under this group.
The ASA checks after each update for all imported groups. If an activated Active Directory group does not exist in Active Directory, the ASA generates a syslog message.
If user_group_name is not specified, the ASA starts the LDAP update service immediately and tries to periodically update all activated groups. The LDAP update service runs in the background and periodically updates import user groups via an LDAP query on the Active Directory server.
At system boot up time, if there are import user groups defined in access groups, the ASA retrieves user/group data via LDAP queries. If errors occur during the update, the ASA retries the update up to 5 times and generates warning messages as necessary.
When the command finishes running, the ASA displays [Done] at the command prompt then generates a syslog message.
Examples
The following example shows how to enable this action for the Identity Firewall:
hostname# user-identity update import-user group.sample-group1ERROR: Update import-user group is already in progress[Done] user-identity update import-user group.sample-group1Related Commands
clear configure user-identity
Clears the configuration for the Identity Firewall feature.
user-identity user-not-found
To enable user-not-found tracking for the Cisco Identify Firewall instance, use the user-identity user-not-found command in global configuration mode. To remove this tracking for the Identity Firewall instance, use the no form of this command.
user-identity user-not-found enable
no user-identity user-not-found enable
Syntax Description
This command has no arguments or keywords.
Defaults
By default, this command is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
—
Command History
Usage Guidelines
Only the last 1024 IP addresses are tracked.
Examples
The following example shows how to enable this action for the Identity Firewall:
hostname(config)#user-identity user-not-found enableRelated Commands
clear configure user-identity
Clears the configuration for the Identity Firewall feature.
user-message
To specify a text message to display when a DAP record is selected, use the user-message command in dynamic-access-policy-record mode. To remove this message, use the no version of the command. If you use the command more than once for the same DAP record, the newer message replaces the previous message.
user-message message
no user-message
Syntax Description
message
The message for users assigned to this DAP record. Maximum 128 characters. If the message contains spaces, enclose it in double quotation marks.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Dynamic-access-policy- record
•
•
•
—
—
Command History
Usage Guidelines
For a successful SSL VPN connection, the portal page displays a flashing, clickable icon that lets the user see the message(s) associated with the connection. If the connection is terminated from a DAP policy (action = terminate), and if there is a user message configured in that DAP record, then that message displays on the login screen.
If more than one DAP record applies to a connection, the ASA combines the applicable user messages and displays them as a single string.
Examples
The following example shows how to set a user message of "Hello Money Managers" for the DAP record called Finance.
hostname (config) config-dynamic-access-policy-recordFinancehostname(config-dynamic-access-policy-record)#user-message "Hello Money Managers"hostname(config-dynamic-access-policy-record)#Related Commands
user-parameter
To specify the name of the HTTP POST request parameter in which a username must be submitted for SSO authentication, use the user-parameter command in aaa-server-host configuration mode.
user-parameter name
Note
Syntax Description
Syntax DescriptionSyntax Description
string
The name of the username parameter included in the HTTP POST request. The maximum name size is 128 characters.
Defaults
There is no default value or behavior.
Command Modes
The following table shows the modes in which you can enter the command:
Aaa-server-host configuration
•
—
•
—
—
Command History
Usage Guidelines
This is an SSO with HTTP Forms command. The WebVPN server of the ASA uses an HTTP POST request to submit a single sign-on authentication request to an SSO server. The required command user-parameter specifies that the HTTP POST request must include a username parameter for SSO authentication.
Note
Examples
The following example, entered in aaa-server-host configuration mode, specifies that the username parameter userid be included in the HTTP POST request used for SSO authentication:
hostname(config)# aaa-server testgrp1 host example.comhostname(config-aaa-server-host)# user-parameter useridhostname(config-aaa-server-host)#Related Commands
user-statistics
To activate the collection of user statistics by MPF and match lookup actions for the Identify Firewall, use the user-statistics command in policy-map configuration mode. To remove collection of user statistics, use the no form of this command.
user-statistics [accounting | scanning]
no user-statistics [accounting | scanning]
Syntax Description
accounting
(Optional) Specifies that the ASA collect the sent packet count, sent drop count, and received packet count.
scanning
(Optional) Specifies that the ASA collect only the sent drop count.
Defaults
By default, this command is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Policy-map configuration
•
•
•
•
—
Command History
Usage Guidelines
When you configure a policy map to collect user statistics, the ASA collects detailed statistics for selected users. When you specify the user-statistics command without the accounting or scanning keywords, the ASA collects both accounting and scanning statistics.
Examples
The following example shows how to activate user statistics for the Identity Firewall:
hostname(config)#class-map c-identity-example-1hostname(config-cmap)#match access-list identity-example-1hostname(config-cmap)#exithostname(config)#policy-map p-identity-example-1hostname(config-pmap)#class c-identity-example-1hostname(config-pmap)#user-statistics accountinghostname(config-pmap)#exithostname(config)#service-policy p-identity-example-1 interface outsideRelated Commands
user-storage
To store personalized user information between clientless SSL VPN sessions, use the user storage command in group-policy webvpn configuration mode. To disable user storage, use the no form of the command.
user-storage NETFS-location
no user-storage]
Syntax Description
Defaults
User storage is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy webvpn mode
•
—
•
—
—
Command History
8.0(2)
This command was introduced.
8.4(6)
Prevented the password being shown in clear text during show-run.
Usage Guidelines
User-storage enables you to store cached credentials and cookies at a location other than the ASA flash. This command provides single sign on for personal bookmarks of a clientless SSL VPN user. The user credentials are stored in an encrypted format on the FTP/CIFS/SMB server as a <user_id>.cps file that is not decryptable.
Although the username, password, and preshared key are shown in the configuration, this poses no security risk because the ASA stores this information in encrypted form, using an internal algorithm.
If data is encrypted on an external FTP or SMB server, you can define personal bookmarks within the portal page by selecting add bookmark (for example: user-storage cifs://jdoe:test@10.130.60.49/SharedDocs). You can create personalized URLs for all plugin protocols as well.
Note
Examples
The following example shows how to set user storage for a user called newuser with a password of 12345678 at a file share called anyshare, and a path of anyfiler02a/new_share:
hostname(config)#wgroup-policy DFLTGrpPolicy attributeshostname(config-group-policy)# webvpnhostname(config-group-webvpn)#user-storage cifs://newuser:12345678@anyfiler02a/new_sharehostname(config-group_webvpn)#Related Commands
storage-key
Specifies a storage key to protect the data stored between sessions.
storage-objects
Configures storage objects for the data stored between sessions.
username (8.4(3) and earlier)
To add a user to the ASA database, enter the username command in global configuration mode. To remove a user, use the no version of this command with the username that you want to remove. To remove all usernames, use the no version of this command without appending a username.
username name {nopassword | password password [mschap | encrypted | nt-encrypted]} [privilege priv_level]
no username name
Syntax Description
Defaults
The default privilege level is 2.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
7.0.1
This command was introduced.
7.2(1)
The mschap and nt-encrypted keywords were added.
Usage Guidelines
The login command uses this database for authentication.
If you add users to the local database who can gain access to the CLI and whom you do not want to enter privileged mode, you should enable command authorization. (See the aaa authorization command command.) Without command authorization, users can access privileged EXEC mode (and all commands) at the CLI using their own password if their privilege level is 2 or greater (2 is the default). Alternatively, you can use AAA authentication so the user will not be able to use the login command, or you can set all local users to level 1 so you can control who can use the enable password to access privileged EXEC mode.
By default, VPN users that you add with this command have no attributes or group policy association. You must configure all values explicitly using the username attributes command.
When password authentication policy is enabled, you can no longer change your own password or delete your own account with the username command. You can, however, change your password with the change-password command.
Examples
The following example shows how to configure a user named "anyuser" with a password of 12345678 and a privilege level of 12:
hostname(config)#username anyuser password 12345678 privilege 12Related Commands
username (8.4(4.1) and later)
To add a user to the ASA database, enter the username command in global configuration mode. To remove a user, use the no version of this command with the username that you want to remove. To remove all usernames, use the no version of this command without appending a username. To enable the system to restore a password creation date at boot time or when copying a file to the running configuration, enter the username command in non-interactive configuration mode.
[no] username name {nopassword | password password [mschap | encrypted | nt-encrypted]} [privilege priv_level]
username name [password-date date]
Syntax Description
Defaults
The default privilege level is 2.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Non-interactive configuration
•
•
•
•
—
Command History
7.0.1
This command was introduced.
7.2(1)
The mschap and nt-encrypted keywords were added.
9.1(2)
The password-date date option was added.
Usage Guidelines
The login command uses this database for authentication.
If you add users to the local database who can gain access to the CLI and whom you do not want to enter privileged mode, you should enable command authorization. (See the aaa authorization command command.) Without command authorization, users can access privileged EXEC mode (and all commands) at the CLI using their own password if their privilege level is 2 or greater (2 is the default). Alternatively, you can use AAA authentication so the user will not be able to use the login command, or you can set all local users to level 1 so you can control who can use the enable password to access privileged EXEC mode.
By default, VPN users that you add with this command have no attributes or group policy association. You must configure all values explicitly using the username attributes command.
When password authentication policy is enabled, you can no longer change your own password or delete your own account with the username command. You can, however, change your password with the change-password command.
To display the username password date, use the show running-config all username command.
Note
Examples
The following example shows how to configure a user named "anyuser" with a password of 12345678 and a privilege level of 12:
hostname(config)#username anyuser password 12345678 privilege 12Related Commands
username attributes
To enter the username attributes mode, use the username attributes command in username configuration mode. To remove all attributes for a particular user, use the no form of this command and append the username. To remove all attributes for all users, use the no form of this command without appending a username. The attributes mode lets you configure attribute-value pairs for a specified user.
username {name} attributes
no username [name] attributes
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Username configuration
•
—
•
—
—
Command History
Usage Guidelines
The internal user authentication database consists of the users entered with the username command. The login command uses this database for authentication. You can configure the username attributes using either the username command or the username attributes command.
The command syntax in username configuration mode has the following characteristics in common:
•
•
•
The username attributes command enters username attributes mode, in which you can configure any of the following attributes:
You configure webvpn-mode attributes for the username by entering the username attributes command and then entering the webvpn command in username webvpn configuration mode. See the webvpn command (group-policy attributes and username attributes modes) for details.
Examples
The following example shows how to enter username attributes configuration mode for a user named "anyuser":
hostname(config)#username anyuser attributeshostname(config-username)#Related Commands
username-from-certificate
To specify the field in a certificate to use as the username for authorization, use the username-from-certificate command in tunnel-group general-attributes mode. The DN of the peer certificate used as username for authorization
To remove the attribute from the configuration and restore default values, use the no form of this command.
username-from-certificate {primary-attr [secondary-attr] | use-entire-name}
no username-from-certificate
Syntax Description
Defaults
The default value for the primary attribute is CN (Common Name).
The default value for the secondary attribute is OU (Organization Unit).
Command Modes
The following table shows the modes in which you can enter the command:
Tunnel-group general-attributes configuration
•
—
•
—
—
Command History
Usage Guidelines
This command selects the field in the certificate to use as the username. It replaces the deprecated authorization-dn-attributes command in Release 8.0.4 and following. The username-from-certificate command forces the security appliance to use the specified certificate field as the username for username/password authorization.
To use this derived username in the pre-fill username from certificate feature for username/passwordauthentication or authorization, you must also configure the pre-fill-username command in tunnel-group webvpn-attributes mode. That is, to use the pre-fill username feature, you must configure both commands.
Possible values for primary and secondary attributes include the following:
Examples
The following example, entered in global configuration mode, creates an IPsec remote access tunnel group named remotegrp and specifies the use of CN (Common Name) as the primary attribute and OU as the secondary attribute to use to derive a name for an authorization query from a digital certificate:
hostname(config)# tunnel-group remotegrp type ipsec_rahostname(config)# tunnel-group remotegrp general-attributeshostname(config-tunnel-general)# username-from-certificate CN OUhostname(config-tunnel-general)#The following example shows how to modify the tunnel-group attributes to configure the pre-fill username.
username-from-certificate {use-entire-name | use-script | <primary-attr>} [secondary-attr] secondary-username-from-certificate {use-entire-name | use-script | <primary-attr>} [secondary-attr] ; used only for double-authenticationRelated Commands
username-prompt
To customize the username prompt of the WebVPN page login box that is displayed to WebVPN users when they connect to the security appliance, use the username-prompt command from webvpn customization mode:
username-prompt {text | style} value
[no] username-prompt {text | style} value
To remove the command from the configuration and cause the value to be inherited, use the no form of the command.
Syntax Description
Defaults
The default is text of the username prompt is "USERNAME:".
The default style of the username prompt is color:black;font-weight:bold;text-align:right.
Command Modes
The following table shows the modes in which you can enter the command:
Webvpn customization
•
—
•
—
—
Command History
Usage Guidelines
The style option is expressed as any valid Cascading Style Sheet (CSS) parameters. Describing these parameters is beyond the scope of this document. For more information about CSS parameters, consult CSS specifications at the World Wide Web Consortium (W3C) website at www.w3.org. Appendix F of the CSS 2.1 Specification contains a convenient list of CSS parameters, and is available at www.w3.org/TR/CSS21/propidx.html.
Here are some tips for making the most common changes to the WebVPN pages—the page colors:
•
•
•
Note
Examples
In the following example, the text is changed to "Corporate Username:", and the default style is changed with the font weight increased to bolder:
hostname(config)# webvpnhostname(config-webvpn)# customization ciscohostname(config-webvpn-custom)# username-prompt text Corporate Username:hostname(config-webvpn-custom)# username-prompt style font-weight:bolderRelated Commands
group-prompt
Customizes the group prompt of the WebVPN page.
password-prompt
Customizes the password prompt of the WebVPN page.
