Cisco FTD Identity Policy gives the capability to control network traffic based on user identity instead of IP address. It will be done through user authentication and mapping IP address with the username. This is, what we will discuss in this section.
what is Cisco FTD Identity Policy and it’s requirements?
How Cisco FTD Identity Policy works?
When you configure an access control policy, you can permit a specific type of service for special users instead of IP address. Then users have to be authenticated before they are allowed to access that service.
identity Policy authenticates network users and binds their IP address to the username when authenticating a new user. If you deny or permit a type of service for a specific user, it will be applied to the appropriate IP address bound to the username.
In our example, we write an access control policy so that only User A is allowed to access service X. then we write an identity policy to authenticate users for specific type of traffic. User A is authenticated and it’s IP address 192.168.1.20 is mapped to User A’s username. from now the IP address 192.168.1.20 is allowed to access service X until the user is idle for some time.
Cisco FTD Identity Policy Authentication Methods and it’s Requirements
Cisco FTD Identity Policy has options to authenticate users, passive, active or no authentication at all.
With passive authentication, we need another tools which authenticated the user and then give the result to the cisco FTD. It is done usually through Cisco ISE dot1x authentication and pxGrid technology. It is not the method that I will implement in this course.
With active authentication, the user is redirected to the captive portal port on which they are prompted to authenticate. When user authentication is successful then user’s IP address will be mapped to the user’s username. This is the method that I will implement in this course.
We can also ignore authentication for some traffic with “no authentication” method.
To authenticate users, you have to configure a realm and authentication methods you plan to use before you can invoke them in your identity rules. We have configured active directory authentication method in the last section.
when you configure Active Authentication, you have to introduce a certificate which will be used in captive portal authentication. So before starting cisco FTD identity policy, make sure that you have already configured a certificate for cisco FTD or use FTD self-signed certificate.
if you are not familiar how to create a certificate, I have already explained in the lesson “14. Cisco Firepower SSL Decryption: Decrypt Known Key” and in the section “Copy Server Certificate and it’s Private Key to the Firepower”.
Cisco FTD Identity Policy Configuration
To configure Identity policy, first we have to create a new Identity Policy.
Then we create a rule to authenticate users for some traffic. We choose all traffic from inside zone to outside zone to be authenticated and we choose “Active Authentication” as authentication method.
We have to configure an authentication database in “Realm & Settings” tab. I choose active directory database, which I have configured in the previous section.
After saving Identity rule, we will be asked to configure a certificate for captive portal authentication. We choose “rayka-co.local” certificate, which is configured in previous sections.
Then configured identity policy have to be activated in access control policy.
Then you can give permission for some services only to specific users or groups configured in your Active Directory.
Cisco FTD Identity Policy Monitoring & Troubleshooting
Just for a test, we access internet from an internal computer behind Cisco FTD. As you can see, we are asked to be authenticated and we are redirected to a captive portal to authenticate users.
You can monitor active users in “Analysis -> Users ->Active Sessions”.
I have a question.
Is there any way to use fqdn instead of ip address?
I mean, when identity page pop-up open automatically, it open https://192.168.X.X:885, I want to pop-up point to https://identity.mydomian.com:885. it will help me to use *.mydomain.com cetrificate.
can you help me?
thanks in advance
When an identity rule requires active authentication for a user, the user is redirected to the captive portal port on the interface through which they are connected and then they are prompted to authenticate.
Because this redirection is to the interface IP address, the identity policy certificate does not match exactly, and users get an untrusted certificate error. The user must accept the certificate to continue and authenticate to the device. Because this behavior is similar to a man-in-the-middle attack, users are reluctant to accept the untrusted certificate.
To avoid this problem, you can configure active authentication to use the fully-qualified domain name (FQDN) of one interface on the device. With a properly configured certificate, users will not get an untrusted certificate error, and the authentication will be more seamless and appear to be more secure.
In the DNS server, define a fully-qualified domain name (FQDN) for the interface IP address of the interface you want to use for gathering active authentication.
Also called the captive portal, this must be a routed interface.
Using a Certificate Authority (CA), obtain a certificate for this FQDN.
You can create a certificate for the specific FQDN, such as. ftd1.captive-port.example.com. Optionally, you can:
Obtain a wildcard certificate that can apply to the captive portal interfaces on many different devices, for example, *.captive-port.example.com. The wildcard could also be broader, and apply to a wide class of endpoints, such as *.eng.example.com, or even *.example.com.
Include multiple Subject Alternate Names (SAN) in the certificate.
Select Objects > Certificates and upload the certificate.
Select Objects > Network and create an FQDN network object for the DNS name.
On the Policies > Identity page, update the identity policy settings with the certificate and FQDN object.
Create rules in the identity policy that use active authentication.
For how long the User will be authenticated? Is user authentication is a one time process or FMC will ask for re-authentication after certain period of time?
re-authentication will occur based on server time out or the timeout period set on the LDAP server.