So this feature is pretty damn cool in my opinion, this feature is called Cisco ASA identity firewall
This feature is available in ASA Firmware 8.4.2, is part of the base License and looks great
Basically what it allows you to do is configure firewall rules not based on IP address but based on username or group membership in AD! The user doesn't need to login or anything complicated for this to work.
what happens is, The Cisco ASA talks to a piece of free software available from Cisco (no license required) that connects to AD and maps logged in users to IP addresses, in the background this is what the ASA Is looking at when it is evaluating access rules, but when your configuring it, you just say "block all Internet Traffic for users belonging to this group"
To quote Cisco:
"The key benefits of the Identity Firewall include:
• Decoupling network topology from security policies
• Simplifying the creation of security policies
• Providing the ability to easily identify user activities on network resources
• Simplify user activity monitoring
So, just to run you through the scenario
Let's say you have a user, User X who is a very important executive, this Very important executive travels all over to diffirent sites on your WAN, so his IP might be totally different each time, he also loves to VPN into your network all the time.
He INSISTS that he is able to run Bit Torrent when he is plugged into the network, but of course you ban it for everyone else.
So, what do you do in a normal situation? Put his Office in a separate VLAN and assign him a separate IP? Yep that could work for his office, but what about when he travels to different sites, what about when he connects over the VPN?
With Identity Firewall, you just specify an access-list that looks something like this:
access-list internetOut permit ip user DCDOMAIN\ImportantExecutive any any
You can see from the above, basically you just reference it as the Windows Domain ID then the userID
You could also specify a group
hostname(config)# access-list aclname extended
permit ip user-group SAMPLE\\group.marketing any any
What happens is, when the ASA is evaluating the rules, it queries the AD Connect Agent that you installed on a windows server, which keeps a mapping of the IP address to windows login details (it gets this info from Microsoft AD) the AD connect agent is constantly updating as users log in and out, it also receives information from the ASA whenever a user log's in to the VPN and makes sure it gets their IP address details too!
You can see how this could greatly simplify your firewall configuration and allow rapid changes. It is a powerful tool and I can't wait to get my hands on ASA running 8.4.2 to try it out and show you all how to configure it! (Donations of ASA's kindly welcomed :p)