Cisco FTD Identity Policy gives the capability to control network traffic based on user identity instead of IP address. It will be done through user authentication and mapping IP address with the username. This is, what we will discuss in this section.

what is Cisco FTD Identity Policy and it’s requirements?

How Cisco FTD Identity Policy works?

When you configure an access control policy, you can permit a specific type of service for special users instead of IP address. Then users have to be authenticated before they are allowed to access that service.

identity Policy authenticates network users and binds their IP address to the username when authenticating a new user. If you deny or permit a type of service for a specific user, it will be applied to the appropriate IP address bound to the username.

In our example, we write an access control policy so that only User A is allowed to access service X. then we write an identity policy to authenticate users for specific type of traffic. User A is authenticated and it’s IP address 192.168.1.20 is mapped to User A’s username. from now the IP address 192.168.1.20 is allowed to access service X until the user is idle for some time.

what is Cisco FTD Identity Policy ?
what is Cisco FTD Identity Policy ?

Cisco FTD Identity Policy Authentication Methods and it’s Requirements

Cisco FTD Identity Policy has options to authenticate users, passive, active or no authentication at all.

Cisco FTD Identity Policy : Authentication Methods
Cisco FTD Identity Policy : Authentication Methods

With passive authentication, we need another tools which authenticated the user and then give the result to the cisco FTD. It is done usually through Cisco ISE dot1x authentication and pxGrid technology. It is not the method that I will implement in this course.

With active authentication, the user is redirected to the captive portal port on which they are prompted to authenticate. When user authentication is successful then user’s IP address will be mapped to the user’s username. This is the method that I will implement in this course.

We can also ignore authentication for some traffic with “no authentication” method.

Cisco FTD Authentication Methods
Cisco FTD Authentication Methods

To authenticate users, you have to configure a realm and authentication methods you plan to use before you can invoke them in your identity rules. We have configured active directory authentication method in the last section.

when you configure Active Authentication, you have to introduce a certificate which will be used in captive portal authentication. So before starting cisco FTD identity policy, make sure that you have already configured a certificate for cisco FTD or use FTD self-signed certificate.

if you are not familiar how to create a certificate, I have already explained in the lesson “14. Cisco Firepower SSL Decryption: Decrypt Known Key” and in the section “Copy Server Certificate and it’s Private Key to the Firepower”.

Cisco FTD Identity Policy Configuration

To configure Identity policy, first we have to create a new Identity Policy.

Then we create a rule to authenticate users for some traffic. We choose all traffic from inside zone to outside zone to be authenticated and we choose “Active Authentication” as authentication method.

Create Identity Policy and Active Authentication Rule
Create Identity Policy and Active Authentication Rule
Enable Traffic to be Authenticated
Enable Traffic to be Authenticated

We have to configure an authentication database in “Realm & Settings” tab. I choose active directory database, which I have configured in the previous section.

choose Realm in Identity Policy
choose Realm in Identity Policy

After saving Identity rule, we will be asked to configure a certificate for captive portal authentication. We choose “rayka-co.local” certificate, which is configured in previous sections.

Add Certificate in Identity Policy
Add Certificate in Identity Policy

Then configured identity policy have to be activated in access control policy.

Add Identity Policy in Access Control Rule
Add Identity Policy in Access Control Rule

Then you can give permission for some services only to specific users or groups configured in your Active Directory.

give permission for some services only to specific Users or Groups
give permission for some services only to specific Users or Groups

Cisco FTD Identity Policy Monitoring & Troubleshooting

Just for a test, we access internet from an internal computer behind Cisco FTD. As you can see, we are asked to be authenticated and we are redirected to a captive portal to authenticate users.

captive portal message for active authentication
captive portal message for active authentication
user is autheticated in captive portal
user is autheticated in captive portal

You can monitor active users in “Analysis -> Users ->Active Sessions”.

Monitor Active Users authenticated by Identity Policy
Monitor Active Users authenticated by Identity Policy
Monitor Active Users Details authenticated by Identity Policy
Monitor Active Users Details authenticated by Identity Policy
Back to: Cisco FTD Design and Implementation > Cisco FTD Identity based Access Control

5 Comments

    • Hi Mohsen

      refrence: https://www.cisco.com/c/en/us/td/docs/security/firepower/710/fdm/fptd-fdm-config-guide-710/fptd-fdm-identity.html
      When an identity rule requires active authentication for a user, the user is redirected to the captive portal port on the interface through which they are connected and then they are prompted to authenticate.
      Because this redirection is to the interface IP address, the identity policy certificate does not match exactly, and users get an untrusted certificate error. The user must accept the certificate to continue and authenticate to the device. Because this behavior is similar to a man-in-the-middle attack, users are reluctant to accept the untrusted certificate.
      To avoid this problem, you can configure active authentication to use the fully-qualified domain name (FQDN) of one interface on the device. With a properly configured certificate, users will not get an untrusted certificate error, and the authentication will be more seamless and appear to be more secure.

      Procedure
      Step 1
      In the DNS server, define a fully-qualified domain name (FQDN) for the interface IP address of the interface you want to use for gathering active authentication.

      Also called the captive portal, this must be a routed interface.

      Step 2
      Using a Certificate Authority (CA), obtain a certificate for this FQDN.

      You can create a certificate for the specific FQDN, such as. ftd1.captive-port.example.com. Optionally, you can:

      Obtain a wildcard certificate that can apply to the captive portal interfaces on many different devices, for example, *.captive-port.example.com. The wildcard could also be broader, and apply to a wide class of endpoints, such as *.eng.example.com, or even *.example.com.

      Include multiple Subject Alternate Names (SAN) in the certificate.

      Step 3
      Select Objects > Certificates and upload the certificate.

      Step 4
      Select Objects > Network and create an FQDN network object for the DNS name.

      Step 5
      On the Policies > Identity page, update the identity policy settings with the certificate and FQDN object.

      Step 6
      Create rules in the identity policy that use active authentication.

  1. For how long the User will be authenticated? Is user authentication is a one time process or FMC will ask for re-authentication after certain period of time?

  2. Masjid,
    Thank you so much for preparing these tutorials! I’m trying to setup active authentication for captive portal in my lab environment, running 7.2.4 on the FMC and FTD (Firepower 1010). Currently I’m having a problem where the authentication prompt will not appear for the user… the redirection URL simply times out in the user’s browser. I’m wondering if the issue is the interface on the FTD that I’m choosing for the captive portal redirection. Do you need a dedicated interface on the FTD, or one that is simply inline with the user’s traffic flow? Currently I’m using the management interface of the FTD, which I believe is the problem. Thanks again!

Leave a Reply

Your email address will not be published. Required fields are marked *


Post comment