Skip to main content



Cisco Defense Orchestrator

Configure Identity Policy Settings

For identity policies to work, you must configure the sources that provide user identity information. The settings you must configure differ based on the type of rules you configure: passive, active, or both.

Note: At this time, Cisco Defense Orchestrator can not configure some of the components needed to implement identity policies such as active directory identity realms, remote access VPN, and Cisco Identity Services Engine. These components must be configured in Firepower Device Manager (FDM), which is the local manager of the Firepower Threat Defense (FTD) device. Some of the steps in the procedure below indicate that you must use FDM to configure some identity components to implement identity policies. 

Before you begin

Ensure that time settings are consistent among the directory servers, Firepower Threat Defense device, and clients. A time shift among these devices can prevent successful user authentication. "Consistent" means that you can use different time zones, but the time should be the same relative to those zones; for example, 10 AM PST = 1 PM EST.


  1. In the navigation pane, click Devices & Services
  2. Select the device on which you to configure the identity policy and in the Management pane, click Policy and then click Identity in the policy bar.   
  3. Enable Identity policies by clicking the Identity toggle. Or, you can click the i_square_button.png button, review the descriptions of passive and active authentication and click Enable in the dialog. 
  4. Read the Passive Authentication settings. Click the Passive Auth button on the identity bar. 

The Passive Authentication button shows Enabled if you have configured remote access VPN or Cisco Identity Services engine using Firepower Device Manager. 

You must have configured at least one passive identity source to create passive authentication rules. 

  1. Configure Active Authentication. When an identity rule requires active authentication for a user, the user is redirected to the captive portal port on the interface through which they are connected and then they are prompted to authenticate.
    1. Click the Active Auth button on the Identity bar.
    2. If you have not already, enable SSL Description by clicking the Enable link. If you don't see the Enable link, skip to step "c"


  1. From the Select Decrypt Re-Sign Certificate menu, select the internal CA certificate to use for rules that implement decryption with re-signed certificates.

You can use the pre-defined NGFW-Default-InternalCA certificate, or click the menu and select Create or Choose to create a new certificate or select one you have already uploaded to the FTD. 

If you have not already installed the certificate in client browsers, click the download button export_blue_button.png to obtain a copy. See the documentation for each browser for information on how to install the certificate. Also see Downloading the CA Certificate for Decrypt Re-Sign Rules

Note: You are prompted for SSL Decryption settings only if you have not already configured the SSL decryption policy. To change these settings after enabling the identity policy, edit the SSL decryption policy settings.

  1. Click Save.


  1. Click the Server Certificate menu to select (choose) the internal certificate to present to users during active authentication. If you have not already created the required certificate, click Create. Users will have to accept the certificate if you do not upload a certificate that their browsers already trust.
  2. In the Port field, enter the port number for the captive portal. The default is 885 (TCP). If you configure a different port, it must be in the range 1025-65535.

Note: For the HTTP Basic, HTTP Response Page, and NTLM authentication methods, the user is redirected to the captive portal using the IP address of the interface. However, for HTTP Negotiate, the user is redirected using the fully-qualified DNS name firewall-hostname.AD-domain-name . If you want to use HTTP Negotiate, you must also update your DNS server to map this name to the IP addresses of all inside interfaces where you are requiring active authentication. Otherwise, the redirection cannot complete, and users cannot authenticate.

  1. Click Save.


  1. Continue with Configure the Firepower Identity Policy Default Action.
  • Was this article helpful?