Create an Identity Rule

For details about configuration options for identity rules, see Identity Rule Fields.

Before you begin

You must create and enable a realm or realm sequence.

Create a realm and realm directory as discussed in Create a Realm and Realm Directory.
(Optional.) Create a realm sequence as discussed in Create a Realm Sequence.
Download users and groups and enable the realm as discussed in Synchronize Users and Groups.

Caution

Adding the first or removing the last active authentication rule when SSL decryption is disabled (that is, when the access control policy does not include an SSL policy) restarts the Snort process when you deploy configuration changes, temporarily interrupting traffic inspection. Whether traffic drops during this interruption or passes without further inspection depends on how the target device handles traffic. See Snort Restart Traffic Behavior for more information.

Note that an active authentication rule has either an Active Authentication rule action, or a Passive Authentication rule action with Use active authentication if passive or VPN identity cannot be established selected. In each case the system transparently enables or disables SSL decryption, which restarts the Snort process.

Caution

When SSL decryption is disabled (that is, when the access control policy does not include an SSL policy), adding the first or removing the last captive portal rule restarts the Snort process when you deploy configuration changes, temporarily interrupting traffic inspection. Whether traffic drops during this interruption or passes without further inspection depends on how the target device handles traffic. See Snort Restart Traffic Behavior for more information. A captive portal rule either has an Active Authentication rule action or has TBD selected when the rule action is Passive Authentication.

Procedure

Step 1	Log in to the Cisco Defense Orchestrator.
Step 2	Click Policies > Access Control > Identity .
Step 3	Click Edit () next to the identity policy to which to add the identity rule. If View () appears instead, the configuration belongs to an ancestor domain, or you do not have permission to modify the configuration.
Step 4	Click Add Rule.
Step 5	Enter a Name.
Step 6	Specify whether the rule is Enabled.
Step 7	To add the rule to an existing category, indicate where you want to Insert the rule. To add a new category, click Add Category.
Step 8	Choose a rule Action from the list.
Step 9	If you're configuring captive portal, see How to Configure the Captive Portal for User Control.
Step 10	(Optional) To add conditions to the identity rule, see Identity Rule Conditions.
Step 11	Click Add.
Step 12	In the policy editor, set the rule position. Click and drag or use the right-click menu to cut and paste. Rules are numbered starting at 1. The system matches traffic to rules in top-down order by ascending rule number. The first rule that traffic matches is the rule that handles that traffic. Proper rule order reduces the resources required to process network traffic and prevents rule preemption.
Step 13	Click Save.

What to do next

Deploy configuration changes; see Deploy Configuration Changes.