Realm Fields

The following fields are used to configure a realm.

Realm Configuration Fields

These settings apply to all Active Directory servers or domain controllers (also referred to as directories) in a realm.

Name

A unique name for the realm. The system supports alphanumeric and special characters.

Description

(Optional.) Enter a description of the realm.

Type

The type of realm, AD for Microsoft Active Directory or LDAP for other supported LDAP repositories. For a list of supported LDAP repositories, see Supported Servers for Realms. You can authenticate captive portal users with an LDAP repository; all others require Active Directory.

Note	Only captive portal supports an LDAP realm.

AD Primary Domain

For Microsoft Active Directory realms only. Domain for the Active Directory server where users should be authenticated.

Note

You must specify a unique AD Primary Domain for every Microsoft Active Directory (AD) realm. Although the system allows you to specify the same AD Primary Domain for different AD realms, the system won't function properly. This happens because system assigns a unique ID to every user and group in each realm; therefore, the system cannot definitively identify any particular user or group. The system prevents you from specifying more than one realm with the same AD Primary Domain because users and groups won't be identified properly. This happens because system assigns a unique ID to every user and group in each realm; therefore, the system cannot definitively identify any particular user or group.

Directory Username and Directory Password

The distinguished username and password for a user with appropriate access to the user information you want to retrieve.

Note the following:

• For Microsoft Active Directory, the user does not need elevated privileges. You can specify any user in the domain.

• For OpenLDAP, the user's access privileges are determined by the <level> parameter discussed in section 8 of the OpenLDAP specification. The user's <level> should be auth or better.

• The user name must be fully qualified (for example, administrator@mydomain.com, not administrator).

Note

The SHA-1 hash algorithm is not secure for storing passwords on your Active Directory server and should not be used. For more information, consult a reference such as Migrating your Certification Authority Hashing Algorithm from SHA1 to SHA2 on Microsoft TechNet or Password Storage Cheat Sheet on the Open Web Application Security Project website.

Base DN

The directory tree on the server where the Secure Firewall Management Center should begin searching for user data.

Typically, the base distinguished name (DN) has a basic structure indicating the company domain name and operational unit. For example, the Security organization of the Example company might have a base DN of ou=security,dc=example,dc=com.

Group DN

The directory tree on the server where the Secure Firewall Management Center should search for users with the group attribute. A list of supported group attributes is shown in Supported Server Object Class and Attribute Names.

Note

Following is the list of characters the Firepower System supports in users, groups, DNs in your directory server. Using any characters other than the following could result in the Firepower System failing to download users and groups. Entity Supported characters User name a-z A-Z 0-9 ! # $ % ^ & ( ) _ - { } ' . ~ ` Group name a-z A-Z 0-9 ! # $ % ^ & ( ) _ - { } ' . ~ ` Base DN and Group DN a-z A-Z 0-9 ! @ $ % ^ & * ( ) _ - . ~ ` [ ]

Group Attribute

(Optional.) The group attribute for the server, Member or Unique Member.

The following fields are available when you edit an existing realm.

User Session Timeout

Enter the number of minutes before user sessions time out. The default is 1440 (24 hours) after the user's login event. After the timeout is exceeded, the user's session ends; if the user continues to access the network without logging in again, the user is seen by the Firepower Management Center as Unknown.