Preview
Rate this lesson

Cisco FTD Identity Policy gives the capability to control network traffic based on user identity instead of IP address. It will be done through user authentication and mapping IP address with the username. This is, what we will discuss in this section.

what is Cisco FTD Identity Policy and it’s requirements?

How Cisco FTD Identity Policy works?

When you configure an access control policy, you can permit a specific type of service for special users instead of IP address. Then users have to be authenticated before they are allowed to access that service.

identity Policy authenticates network users and binds their IP address to the username when authenticating a new user. If you deny or permit a type of service for a specific user, it will be applied to the appropriate IP address bound to the username.

In our example, we write an access control policy so that only User A is allowed to access service X. then we write an identity policy to authenticate users for specific type of traffic. User A is authenticated and it’s IP address 192.168.1.20 is mapped to User A’s username. from now the IP address 192.168.1.20 is allowed to access service X until the user is idle for some time.

what is Cisco FTD Identity Policy ?
what is Cisco FTD Identity Policy ?

Cisco FTD Identity Policy Authentication Methods and it’s Requirements

Cisco FTD Identity Policy has options to authenticate users, passive, active or no authentication at all.

Cisco FTD Identity Policy : Authentication Methods
Cisco FTD Identity Policy : Authentication Methods

With passive authentication, we need another tools which authenticated the user and then give the result to the cisco FTD. It is done usually through Cisco ISE dot1x authentication and pxGrid technology. It is not the method that I will implement in this course.

With active authentication, the user is redirected to the captive portal port on which they are prompted to authenticate. When user authentication is successful then user’s IP address will be mapped to the user’s username. This is the method that I will implement in this course.

We can also ignore authentication for some traffic with “no authentication” method.

Cisco FTD Authentication Methods
Cisco FTD Authentication Methods

To authenticate users, you have to configure a realm and authentication methods you plan to use before you can invoke them in your identity rules. We have configured active directory authentication method in the last section.

when you configure Active Authentication, you have to introduce a certificate which will be used in captive portal authentication. So before starting cisco FTD identity policy, make sure that you have already configured a certificate for cisco FTD or use FTD self-signed certificate.

if you are not familiar how to create a certificate, I have already explained in the lesson “14. Cisco Firepower SSL Decryption: Decrypt Known Key” and in the section “Copy Server Certificate and it’s Private Key to the Firepower”.

Cisco FTD Identity Policy Configuration

To configure Identity policy, first we have to create a new Identity Policy.

Then we create a rule to authenticate users for some traffic. We choose all traffic from inside zone to outside zone to be authenticated and we choose “Active Authentication” as authentication method.

Create Identity Policy and Active Authentication Rule
Create Identity Policy and Active Authentication Rule
Enable Traffic to be Authenticated
Enable Traffic to be Authenticated

We have to configure an authentication database in “Realm & Settings” tab. I choose active directory database, which I have configured in the previous section.

choose Realm in Identity Policy
choose Realm in Identity Policy

After saving Identity rule, we will be asked to configure a certificate for captive portal authentication. We choose “rayka-co.local” certificate, which is configured in previous sections.

Add Certificate in Identity Policy
Add Certificate in Identity Policy

Then configured identity policy have to be activated in access control policy.

Add Identity Policy in Access Control Rule
Add Identity Policy in Access Control Rule

Then you can give permission for some services only to specific users or groups configured in your Active Directory.

give permission for some services only to specific Users or Groups
give permission for some services only to specific Users or Groups

Cisco FTD Identity Policy Monitoring & Troubleshooting

Just for a test, we access internet from an internal computer behind Cisco FTD. As you can see, we are asked to be authenticated and we are redirected to a captive portal to authenticate users.

captive portal message for active authentication
captive portal message for active authentication
user is autheticated in captive portal
user is autheticated in captive portal

You can monitor active users in “Analysis -> Users ->Active Sessions”.

Monitor Active Users authenticated by Identity Policy
Monitor Active Users authenticated by Identity Policy
Monitor Active Users Details authenticated by Identity Policy
Monitor Active Users Details authenticated by Identity Policy
Back to: Cisco FTD Design and Implementation > Cisco FTD Identity based Access Control

Leave a Reply

Your email address will not be published. Required fields are marked *

Post comment