Realm Fields
The following fields are used to configure a realm.
Realm Configuration Fields
These settings apply to all Active Directory servers or domain controllers (also referred to as directories) in a realm.
- Name
-
A unique name for the realm.
-
To use the realm in identity policies, the system supports alphanumeric and special characters.
-
To use the realm in RA VPN configurations, the system supports alphanumeric, hyphen (-), underscore (_), and plus (+) characters.
-
- Description
- (Optional.) Enter a description of the realm.
- Type
-
The type of realm, AD for Microsoft Active Directory, LDAP for other supported LDAP repositories, or Local. For a list of supported LDAP repositories, see Supported Servers for Realms. You can authenticate captive portal users with an LDAP repository; all others require Active Directory.
NoteOnly captive portal supports an LDAP realm.
- AD Primary Domain
-
For Microsoft Active Directory realms only. Domain for the Active Directory server where users should be authenticated.
NoteYou must specify a unique AD Primary Domain for every Microsoft Active Directory (AD) realm. Although the system allows you to specify the same AD Primary Domain for different AD realms, the system won't function properly. This happens because system assigns a unique ID to every user and group in each realm; therefore, the system cannot definitively identify any particular user or group. The system prevents you from specifying more than one realm with the same AD Primary Domain because users and groups won't be identified properly. This happens because system assigns a unique ID to every user and group in each realm; therefore, the system cannot definitively identify any particular user or group.
- AD Join Username and AD Join Password
- (Available on the Realm Configuration tab page when you edit a realm.)
- Directory Username and Directory Password
-
The distinguished username and password for a user with appropriate access to the user information you want to retrieve.
Note the following:
-
For Microsoft Active Directory, the user does not need elevated privileges. You can specify any user in the domain.
-
For OpenLDAP, the user's access privileges are determined by the <level> parameter discussed in section 8 of the OpenLDAP specification. The user's <level> should be auth or better.
-
The user name must be fully qualified (for example, administrator@mydomain.com, not administrator).
NoteThe SHA-1 hash algorithm is not secure for storing passwords on your Active Directory server and should not be used. For more information, consult a reference such as Migrating your Certification Authority Hashing Algorithm from SHA1 to SHA2 on Microsoft TechNet or Password Storage Cheat Sheet on the Open Web Application Security Project website.
We recommend SHA-256 for communicating with Active Directory.
-
- Base DN
-
(Optional.) The directory tree on the server where the Cisco Defense Orchestrator should begin searching for user data. If you don't specify a Base DN, the system retrieves the top-level DN provided you can connect to the server.
Typically, the base distinguished name (DN) has a basic structure indicating the company domain name and operational unit. For example, the Security organization of the Example company might have a base DN of ou=security,dc=example,dc=com.
- Group DN
-
(Optional.) The directory tree on the server where the Cisco Defense Orchestrator should search for users with the group attribute. A list of supported group attributes is shown in Supported Server Object Class and Attribute Names. If you don't specify a Group DN, the system retrieves the top-level DN provided you can connect to the server.
NoteFollowing is the list of characters the system supports in users, groups, DNs in your directory server. Using any characters other than the following could result in the system failing to download users and groups.
Entity Supported characters User name a-z A-Z 0-9 ! # $ % ^ & ( ) _ - { } ' . ~ `
Group name a-z A-Z 0-9 ! # $ % ^ & ( ) _ - { } ' . ~ `
Base DN and Group DN a-z A-Z 0-9 ! @ $ % ^ & * ( ) _ - . ~ `
- Proxy
- From the list, click one or more managed devices or a proxy sequence. These devices must be able to communicate with Active Directory or ISE/ISE-PIC to retrieve user data for identity policies.
The following fields are available when you edit an existing realm.
- User Session Timeout