Procedure

Before you begin

Ensure that time settings are consistent among the directory servers, FDM-managed device, and clients. A time shift among these devices can prevent successful user authentication. "Consistent" means that you can use different time zones, but the time should be the same relative to those zones; for example, 10 AM PST = 1 PM EST.

Procedure

Step 1

In the navigation pane, click Inventory.

Step 2

Click the Devices tab to locate the device or the Templates tab to locate the model device.

Step 3

Click the FTD tab and select the device for which you are configuring an identity policy, and click Policy in the Management pane at the right.

Step 4

Enable Identity policies by clicking the Identity toggle. Or, you can click the button, review the descriptions of passive and active authentication and click Enable in the dialog.

Step 5

Read the Passive Authentication settings. Click the Passive Auth button on the identity bar.

The Passive Authentication button shows Enabled if you have configured remote access VPN or Cisco Identity Services engine using Firepower Device Manager.

You must have configured at least one passive identity source to create passive authentication rules.

Step 6

Configure Active Authentication. When an identity rule requires active authentication for a user, the user is redirected to the captive portal port on the interface through which they are connected and then they are prompted to authenticate.

  1. Click the Active Auth button on the Identity bar.

  2. If you have not already, enable SSL Description by clicking the Enable link. If you don't see the Enable link, skip to step "c".

    1. From the Select Decrypt Re-Sign Certificate menu, select the internal CA certificate to use for rules that implement decryption with re-signed certificates.

      You can use the pre-defined NGFW-Default-InternalCA certificate, or click the menu and select Create or Choose to create a new certificate or select one you have already uploaded to the FDM-managed device.

      If you have not already installed the certificate in client browsers, click the download button to obtain a copy. See the documentation for each browser for information on how to install the certificate. Also see Downloading the CA Certificate for Decrypt Re-Sign Rules.

      Note

      You are prompted for SSL Decryption settings only if you have not already configured the SSL decryption policy. To change these settings after enabling the identity policy, edit the SSL decryption policy settings.

    2. Click Save.

  3. Click the Server Certificate menu to select (choose) the internal certificate to present to users during active authentication. If you have not already created the required certificate, click Create. Users will have to accept the certificate if you do not upload a certificate that their browsers already trust.

  4. In the Port field, enter the port number for the captive portal. The default is 885 (TCP). If you configure a different port, it must be in the range 1025-65535.

    Note

    For the HTTP Basic, HTTP Response Page, and NTLM authentication methods, the user is redirected to the captive portal using the IP address of the interface. However, for HTTP Negotiate, the user is redirected using the fully-qualified DNS name firewall-hostname.AD-domain-name . If you want to use HTTP Negotiate, you must also update your DNS server to map this name to the IP addresses of all inside interfaces where you are requiring active authentication. Otherwise, the redirection cannot complete, and users cannot authenticate.

  5. Click Save.

Step 7

Continue with Configure the Identity Policy Default Action.