Skip to main content

 

 

Cisco Defense Orchestrator

Firepower Threat Defense Identity Policy

Identity Policy Overview

Use identity policies to collect user identity information from connections. You can then view usage based on user identity in the dashboards, and configure access control based on user or user group. By linking network behavior, traffic, and events directly to individual users and groups, the system can help you identify the source of policy breaches, attacks, or network vulnerabilities.

For example, you can identify who owns the host targeted by an intrusion event, and who initiated an internal attack or port scan. You can also identify high bandwidth users and users who are accessing undesirable web sites or applications.

You can then view usage based on user identity in the dashboards, and configure access control based on Active Directory (AD) realm object (which matches all users on that AD), special identities (such as failed authentication, guest, no authentication required, or unknown identity), or user groups. 

You can obtain user identity using the following methods:

  • Passive authentication—For all types of connections, obtain user identity from other authentication services without prompting for username and password.

  • Active authentication—For HTTP connections only, prompt for username and password and authenticate against the specified identity source to obtain the user identity for the source IP address.

Establishing User Identity Through Passive Authentication

Passive authentication gathers user identity without prompting the user for username and password. The system obtains the mappings from the identity sources you specify.

You can passively obtain user-to-IP address mappings from the following sources:

  • Remote access VPN logins. The following user types are supported for passive identity:

    • User accounts defined in an external authentication server.

    • Local user accounts that are defined in Firepower Device Manager.

  • Cisco Identity Services Engine (ISE); Cisco Identity Services Engine Passive Identity Connector (ISE PIC).

If a given user is identified through more than one source, the remote access VPN login identity takes precedence.

Establishing User Identity through Active Authentication

Authentication is the act of confirming the identity of a user.

With active authentication, when an HTTP traffic flow comes from an IP address for which the system has no user-identity mapping, you can decide whether to authenticate the user who initiated the traffic flow against the directory configured for the system. If the user successfully authenticates, the IP address is considered to have the identity of the authenticated user.

Failure to authenticate does not prevent network access for the user. Your access rules ultimately decide what access to provide these users.

Dealing with Unknown Users

When you use Firepower Device Manager (FDM) to configure the directory server for the identity policy, FDM downloads user and group membership information from the directory server. The Active Directory information is refreshed every 24 hours at midnight or whenever you edit and save the directory configuration (even if you do not make any changes). 

If a user succeeds in authenticating when prompted by an active authentication identity rule, but the user’s name is not in the downloaded user identity information, the user is marked as Unknown. You will not see the user’s ID in identity-related dashboards, nor will the user match group rules.

However, any access control rules for the Unknown user will apply. For example, if you block connections for Unknown users, these users are blocked even though they succeeded in authenticating (meaning that the directory server recognizes the user and the password is valid).

Thus, when you make changes to the directory server, such as adding or deleting users, or changing group membership, these changes are not reflected in policy enforcement until the system downloads the updates from the directory.

If you do not want to wait until the daily midnight update, you can force an update by editing the directory realm information (login to FDM and navigate Objects > Identity Sources, then edit the realm ). Click OK, then deploy changes. The system will immediately download the updates.

Note: You can check whether new or deleted user information is on the FDM system by logging in to FDM and navigating Policies > Access Control, clicking the Add Rule (+) button, and looking at the list of users on the Users tab. If you cannot find a new user, or you can find a deleted user, then the system has old information