View Cart
0 Items | Total: US$0.00
Welcome,      Register

You are here

SEC0145 - ASA CX Active Authentication (Part 1)

Average: 5 (1 vote)
Difficulty Level: 
Lab Document: 
<Please login to see the content>
The video shows you the first method of obtaining user identity on Cisco ASA CX using Active Authentication. We will integrate CX with Windows Active Directory to perform user authentication as well as user group query. We will redo our access policies from the previous lab and replace the source IP subnet with AD user group. This would be our first step towards identity-based access policies and free ourselves from the use of just IP addresses. 
Part 1 of this video goes over Active Directory Integration, Authentication Settings, and Identity Policy
  • CX Active Authentication
  • Directory Realm and Active Directory Integration
  • Authentication Settings
  • Identities Policy
  • ASA with Auth-Proxy
  • Object
    • Identity Object
  • Failover Guest Role

About Author

Metha Cheiwanichakorn, CCIE#23585 (RS, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at, Metha enjoys learning and challenges himself with new Cisco technologies.



Please how would CX integrate with ISE for wireless guest as guest would use web auth. Would the default gateway for the Anchor WLC Guest WLAN be the CX, then the CX would proxy to ISE for authentication? If so, would ISE have to be added to the CX?

Or should the FW rule send guest HTTP to ISE first for web redirect/authentication, then the Internet bound traffic passes through the CX?

ISE only integrates with CX from the perspective of providing AD user to IP mapping information usually for internal user and not so much for guest. Other than that, the two systems work independently. ISE can be used for guest authentication (eg. guest account management, portal redirection etc.). Once guest is authenticated, you need to make sure guest internet traffic passes through your firewall with CX running. You can then create access policy on the CX and restrict guest traffic accordingly.