Sample Identity Policies and Rules

The following sections provide examples of configuring an identity policy with either a passive authentication rule or an active authentication rule. In addition, because you can authenticate users with active authentication using either realms or realm sequences, separate examples are provided.

Active authentication means the user authenticates using the captive portal; the user enters network credentials before being allowed to access allowed resources. (RA-VPN is another type of active authentication but it cannot be used together with captive portal authentication. For more information, see The Remote Access VPN Identity Source.)

Passive authentication covers all other types. Passive authentication includes using Microsoft Active Directory realms, Microsoft Azure Active Directory realms, Cisco Identity Services Engine, and others.

Assumptions

The examples use the following assumptions:

  • Microsoft Active Directory (AD) realm named forest.example.com with two child domains configured in a trust relationship:

    • US-West

    • US-East

  • A realm sequence named US that includes both realms

  • Passive authentication rule that authenticates users with a realm sequence

  • Two active authentication rules:

    • One rule that authenticates users with a realm and uses the NTLM authentication protocol

    • One rule that authenticates users with a realm sequence and uses the HTTP Response Page authentication protocol

  • Each sample identity rule is associated with a different identity policy

Passive authentication identity rules

When you configure a Passive Authentication identity rule, you can choose to authenticate users either with LDAP, a Microsoft Active Directory realm, or a Microsoft AD realm sequence. You can use a realm to authenticate with any authentication type; realm sequence restricts the authentication types you can use. For an example, see Create an Identity Policy with a Passive Authentication Rule.

Active authentication identity rules

When you configure an Active Authentication identity rule, you can choose to authenticate users either with LDAP, a Microsoft Active Directory realm, or a Microsoft AD realm sequence. You can use a realm to authenticate with any authentication type; realm sequence restricts the authentication types you can use.

You can also authenticate users with a Microsoft Active Directory realm sequence except for the following authentication types:

  • NTLM

  • Kerberos

  • HTTP Negotiate

For an example, see Create a Sample Identity Policy with an Active Authentication Rule.