Skip to main content

 

 

Cisco Defense Orchestrator

Configure Identity Sources for FTD

About Identity Sources

Identity Sources, such as Microsoft Active Directory (AD) realms and RADIUS Servers, are AAA servers and databases that define user accounts for the people in your organization. You can use this information in a variety of ways, such as providing the user identity associated with an IP address, or authenticating remote access VPN connections or access to CDO. 

Click Objects > Create Objects (blue_cross_button.png) > Identity Source to create your sources. You would then use these objects when you configure the services that require an identity source. You can apply appropriate filters to search existing sources and manage them. 

Active Directory Realms

Active Directory provides user account and authentication information. When you deploy a configuration that includes an AD realm to an FTD device, CDO fetches users and groups from the AD server.

You can use this source for the following purposes:

  • Remote Access VPN, as a primary identity source. You can use AD in conjunction with a RADIUS server.

  • Identity policy, for active authentication and as the user identity source used with passive authentication.

  • Identity rule, for active authentication for a user.

You can create access control rules with user identities. See How to Implement a Firepower Identity Policy for more information. 

CDO requests an updated list of user groups once every 24 hours. Because you can add a maximum of 50 users or groups to a rule, selecting groups usually makes more sense than selecting individual users. For example, you could create a rule allowing the Engineering group access to a development network, and create a subsequent rule that denies all other access to the network. Then, to make the rule apply to new engineers, you only need to add the engineer to the Engineering group in the directory server.

Active Directory Realms In CDO

You configure the AD realm when you create an Active Directory Identity object. The identity source objects wizard assists in determining how to connect to the AD server and where the AD server is located in the network.

Note: If you create an AD realm in CDO, CDO remembers the AD password when you create affiliate identity source objects and when you add those objects to an identity rule. 

Active Directory Realms In FDM

You can point to AD realm objects that were created in FDM from the CDO objects wizard. Note that CDO does not read the AD password for AD realm objects that are created in FDM. You must manually enter the correct AD password in CDO. 

To configure an AD realm in FDM, see the Configuring AD Identity Realms section of the Reusable Objects chapters of the Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager for the version your device is running. 

Supported Directory Servers

You can use AD on Windows Server 2008 and 2012.

Note the following about your server configuration:

  • If you want to perform user control on user groups or on users within groups, you must configure user groups on the directory server. The system cannot perform user group control if the server organizes the users in a basic object hierarchy.

  • The directory server must use the field names listed in the following table in order for the system to retrieve user metadata from the servers for that field:

Metadata Active Directory Field
LDAP user name samaccountname
First name givename
Last Name sn
email address

mail

userprincipalname (if mail has no value)

Department

department

distinguishedname (if department has no value)

Telephone number telephonenumber

Determining the Directory Base DN

When you configure directory properties, you need to specify the common base distinguished name (DN) for users and groups. The base is defined in your directory server and differs from network to network. You must enter the correct bases for identity policies to work. If the base is wrong, the system cannot determine user or group names, and thus identity-based policies will be inoperable.

Note: To get the correct bases, consult the administrator who is responsible for the directory servers.

For an active directory, you can determine the correct bases by logging into the Active Directory server as a domain administrator, and using the dsquery command at a command prompt as follows to determine the bases:

User search base

Enter the dsquery user command with known username (partial or complete) to determine the base distinguished name. For example, the following command uses the partial name “John*” to return information for all users that start with “John.”

C:\Users\Administrator>dsquery user -name “John*” 
“CN=John Doe,CN=Users,DC=csc-lab,DC=example,DC=com”

The base DN would be “DC=csc-lab,DC=example,DC=com.”

Group search base

Enter the dsquery group command with a known group name to determine the base distinguished name. For example, the following command uses the group name Employees to return the distinguished name:

C:\>dsquery group -name “Employees” 
“CN=Employees,CN=Users,DC=csc-lab,DC=example,DC=com”

The group base DN would be “DC=csc-lab,DC=example,DC=com.”

You can also use the ADSI Edit program to browse the Active Directory structure (Start > Run > adsiedit.msc). In ADSI Edit, right click any object, such as an organizational unit (OU), group, or user, and choose Properties to view the distinguished name. You can then copy the string of DC values as the base.

To verify that you have the correct base:

  1. Click the Test Connection button in the directory properties to verify connectivity. Resolve any problems, and save the directory properties.

  2. Commit changes to the device.

  3. Create an access rule, select the Users tab, and try to add known user and group names from the directory. You should see auto-complete suggestions as you type for matching users and groups in the realm that contains the directory. If these suggestions appear in a drop-down list, then the system was able to query the directory successfully. If you see no suggestions, and you are certain the string you typed should appear in a user or group name, you need to correct the corresponding search base.

See Create and Edit a Firepower Threat Defense Active Directory Realm Object for more information. 

RADIUS Servers and Groups

You can use RADIUS servers to authenticate and authorize administration users.

When you configure a feature to use RADIUS servers, you select a RADIUS group instead of individual servers. A RADIUS group is a collection of RADIUS servers that are copies of each other. If a group has more than one server, they form a chain of backup servers to provide redundancy in case one server becomes unavailable. But even if you have only one server, you must create a one-member group to configure RADIUS support for a feature.

You can use this source for the following purposes:

  • Remote Access VPN, as an identity source for authentication, and for authorization and accounting. You can use AD in conjunction with a RADIUS server.

  • Identity policy, as a passive identity source to collect user identity from remote access VPN logins.

See Create and Edit a Firepower Threat Defense RADIUS Server Object or Group for more information. 

 

Related Articles: