Configure Identity Sources for FDM-Managed Device
Identity Sources, such as Microsoft AD realms and RADIUS Servers, are AAA servers and databases that define user accounts for the people in your organization. You can use this information in a variety of ways, such as providing the user identity associated with an IP address, or authenticating remote access VPN connections or access to CDO.
Click Objects > FDM Objects, then click and choose to create your sources. You would then use these objects when you configure the services that require an identity source. You can apply appropriate filters to search existing sources and manage them.
Active Directory Realms
Active Directory provides user account and authentication information. When you deploy a configuration that includes an AD realm to an FDM-managed device, CDO fetches users and groups from the AD server.
You can use this source for the following purposes:
-
Remote Access VPN, as a primary identity source. You can use AD in conjunction with a RADIUS server.
-
Identity policy, for active authentication and as the user identity source used with passive authentication.
-
Identity rule, for active authentication for a user.
You can create access control rules with user identities. See How to Implement an Identity Policy for more information.
CDO requests an updated list of user groups once every 24 hours. Because you can add a maximum of 50 users or groups to a rule, selecting groups usually makes more sense than selecting individual users. For example, you could create a rule allowing the Engineering group access to a development network, and create a subsequent rule that denies all other access to the network. Then, to make the rule apply to new engineers, you only need to add the engineer to the Engineering group in the directory server.
Active Directory Realms In CDO
You configure the AD realm when you create an AD Identity object. The identity source objects wizard assists in determining how to connect to the AD server and where the AD server is located in the network.
Note | If you create an AD realm in CDO, CDO remembers the AD password when you create affiliate identity source objects and when you add those objects to an identity rule. |
Active Directory Realms In FDM
You can point to AD realm objects that were created in FDM from the CDO objects wizard. Note that CDO does not read the AD password for AD realm objects that are created in FDM. You must manually enter the correct AD password in CDO.
To configure an AD realm in firewall device managers, see the Configuring AD Identity Realms section of the Reusable Objects chapters of the Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager for the version your device is running.
Supported Directory Servers
You can use AD on Windows Server 2008 and 2012.
Note the following about your server configuration:
-
If you want to perform user control on user groups or on users within groups, you must configure user groups on the directory server. The system cannot perform user group control if the server organizes the users in a basic object hierarchy.
-
The directory server must use the field names listed in the following table in order for the system to retrieve user metadata from the servers for that field:
Metadata |
Active Directory Field |
---|---|
LDAP user name | samaccountname |
First name | givename |
Last Name | sn |
email address |
userprincipalname (if mail has no value) |
Department |
department distinguishedname (if department has no value) |
Telephone number | telephonenumber |