About Identity Sources
Identity Sources, such as Microsoft Active Directory (AD) realms and RADIUS Servers, are AAA servers and databases that define user accounts for the people in your organization. You can use this information in a variety of ways, such as providing the user identity associated with an IP address, or authenticating remote access VPN connections or access to CDO.
Use the Objects > Identity Sources page to create and manage your sources. You would then use these objects when you configure the services that require an identity source.
Active Directory Realms
When you deploy a configuration that includes an AD realm to an FTD device, CDO fetches users and groups from the AD realm in the server. You can create access control rules with user identities. See How to Implement a Firepower Identity Policy for more information.
CDO requests and updated list of user groups once every 24 hours. Because you can add a maximum of 50 users or groups to a rule, selecting groups usually makes more sense than selecting individual users. For example, you could create a rule allowing the Engineering group access to a development network, and create a subsequent rule that denies all other access to the network. Then, to make the rule apply to new engineers, you only need to add the engineer to the Engineering group in the directory server.
Active Directory Realms In CDO
You configure the AD realm when you create an Active Directory Identity object. The identity source objects wizard assists in determining how to connect to the AD server and where the AD server is located in the network.
Note: If you create an AD realm in CDO, CDO remembers the AD password when you create affiliate identity source objects and when you add those objects to an identity rule.
See Create and Edit a Firepower Threat Defense Active Directory Realm Object for more information.
Active Directory Realms In FDM
You can point to AD realm objects that were created in FDM from the CDO objects wizard. Note that CDO does not read the AD password for AD realm objects that are created in FDM. You must manually enter the correct AD password in CDO.
See Configuring AD Identity Realms to configure an AD realm in FDM.
Supported Directory Servers
You can use AD on Windows Server 2008 and 2012.
Note the following about your server configuration:
If you want to perform user control on user groups or on users within groups, you must configure user groups on the directory server. The system cannot perform user group control if the server organizes the users in basic object hierarchy.
The directory server must use the field names listed in the following table in order for the system to retrieve user metadata from the servers for that field:
|Metadata||Active Directory Field|
|LDAP user name||samaccountname|
userprincipalname (if mail has no value)
distinguishedname (if department has no value)
RADIUS Servers and Groups
You can use RADIUS servers to authenticate and authorize administration users.
When you configure a feature to use RADIUS servers, you select a RADIUS group instead of individual servers. A RADIUS group is a collection of RADIUS servers that are copies of each other. If a group has more than one server, they form a chain of backup servers to provide redundancy in case one server becomes unavailable. But even if you have only one server, you must create a one-member group to configure RADIUS support for a feature.
See Create and Edit a Firepower Threat Defense RADIUS Server Object or Group for more information.