Procedure

The following procedure provides an overview of what you must configure to get identity policies to work:

Procedure


Step 1

Create the AD identity realm. Whether you collect user identity actively or passively, you need to configure the Active Directory (AD) server that has the user identity information. See Create and Edit a Firepower Threat Defense Active Directory Realm Object for more information.

Step 2

If you want to use passive authentication identity rules, configure the passive identity sources using FDM.

You can configure any of the following, based on the services you are implementing in the device and the services available to you in your network.

  • Remote access VPN—If you intend to support remote access VPN connections to the device, user logins can provide the identity based on the AD server or on local users (those defined within an FDM-managed device). For information on configuring remote access VPN, see the Configuring Remote Acces VPNs chapter of the Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager for the version running on your device.

  • Cisco Identity Services Engine (ISE) or Cisco Identity Services Engine Passive Identity Connector (ISE PIC)—If you use these products, you can configure the device as a pxGrid subscriber, and obtain user identity from ISE. See the Configure Identity Services Engine chapter of the Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager for instructions.

Step 3

Using Security Cloud Control, enable the identity policy and configure passive or active authentication. See Configure Identity Policy Settings for more information.

Step 4

Using Security Cloud Control, Configure Identity Policy Default Action. If your intention is to use passive authentication only, you can set the default action to passive authentication and there is no need to create specific rules.

Step 5

Using Security Cloud Control, Configuring Identity Rules. Create rules that will collect passive or active user identities from the relevant networks.

Step 6

(Optional) For any rule that you created, you can select it and add a comment about it in the Add Comments field. To learn more about rule comments see, Adding Comments to Rules in FTD Policies and Rulesets.

Step 7

Review and deploy now the changes you made, or wait and deploy multiple changes at once.