Skip to main content

 

 

Cisco Defense Orchestrator

Identity Sources in Identity Policies

About Identity Sources

Identity Sources, such as Microsoft Active Directory (AD) realms and RADIUS Servers, are AAA servers and databases that define user accounts for the people in your organization. You can use this information in a variety of ways, such as providing the user identity associated with an IP address, or authenticating remote access VPN connections or access to CDO. 

Use the Objects > Identity Sources page to create and manage your sources. You would then use these objects when you configure the services that require an identity source. 

Active Directory Realms

When you deploy a configuration that includes an AD realm to an FTD device, CDO fetches users and groups from the AD realm in the server. You can create access control rules with user identities. See How to Implement a Firepower Identity Policy for more information. 

CDO requests and updated list of user groups once every 24 hours. Because you can add a maximum of 50 users or groups to a rule, selecting groups usually makes more sense than selecting individual users. For example, you could create a rule allowing the Engineering group access to a development network, and create a subsequent rule that denies all other access to the network. Then, to make the rule apply to new engineers, you only need to add the engineer to the Engineering group in the directory server.

Active Directory Realms In CDO

You configure the AD realm when you create an Active Directory Identity object. The identity source objects wizard assists in determining how to connect to the AD server and where the AD server is located in the network.

Note: If you create an AD realm in CDO, CDO remembers the AD password when you create affiliate identity source objects and when you add those objects to an identity rule. 

See Create and Edit a Firepower Threat Defense Active Directory Realm Object for more information. 

Active Directory Realms In FDM

You can point to AD realm objects that were created in FDM from the CDO objects wizard. Note that CDO does not read the AD password for AD realm objects that are created in FDM. You must manually enter the correct AD password in CDO. 

See Configuring AD Identity Realms to configure an AD realm in FDM. 

Supported Directory Servers

You can use AD on Windows Server 2008 and 2012.

Note the following about your server configuration:

  • If you want to perform user control on user groups or on users within groups, you must configure user groups on the directory server. The system cannot perform user group control if the server organizes the users in basic object hierarchy.

  • The directory server must use the field names listed in the following table in order for the system to retrieve user metadata from the servers for that field:

Metadata Active Directory Field
LDAP user name samaccountname
First name givename
Last Name sn
email address

mail

userprincipalname (if mail has no value)

Department

department

distinguishedname (if department has no value)

Telepohne number telephonenumber

RADIUS Servers and Groups

You can use RADIUS servers to authenticate and authorize administration users.

When you configure a feature to use RADIUS servers, you select a RADIUS group instead of individual servers. A RADIUS group is a collection of RADIUS servers that are copies of each other. If a group has more than one server, they form a chain of backup servers to provide redundancy in case one server becomes unavailable. But even if you have only one server, you must create a one-member group to configure RADIUS support for a feature.

See Create and Edit a Firepower Threat Defense RADIUS Server Object or Group for more information. 

 

Related Articles:

  • Was this article helpful?