Identity Policy Overview
You can use identity policies to detect the user who is associated with a connection. By identifying the user, you can correlate threat, endpoint, and network intelligence with user identity information. By linking network behavior, traffic, and events directly to individual users, the system can help you identify the source of policy breaches, attacks, or network vulnerabilities.
For example, you can identify who owns the host targeted by an intrusion event, and who initiated an internal attack or port scan. You can also identify high bandwidth users and users who are accessing undesirable web sites or applications.
User detection goes beyond collecting data for analysis. You can also write access rules based on user name or user group name, selectively allowing or blocking access to resources based on user identity.
Establishing User Identity through Active Authentication
Authentication is the act of confirming the identity of a user.
With active authentication, when an HTTP traffic flow comes from an IP address for which the system has no user-identity mapping, you can decide whether to authenticate the user who initiated the traffic flow against the directory configured for the system. If the user successfully authenticates, the IP address is considered to have the identity of the authenticated user.
Failure to authenticate does not prevent network access for the user. Your access rules ultimately decide what access to provide these users.
Limitations on Number of Users
Firepower Device Manager can download information on up to 2000 users from the directory server.
If your directory server includes more than 2000 user accounts, you will not see all possible names when selecting users in an access rule or when viewing user-based dashboard information. You can write rules on only those names that were downloaded.
The 2000 limit also applies to the names associated with groups. If a group has more than 2000 members, only the 2000 names that were downloaded can be matched against the group membership.
If you have more than 2000 users, consider using Firepower Management Center (the remote manager) instead of Firepower Device Manager. Firepower Management Center supports significantly more users.
Supported Directory Servers
You can use Microsoft Active Directory (AD) on Windows Server 2008 and 2012.
Note the following about your server configuration:
If you want to perform user control on user groups or on users within groups, you must configure user groups on the directory server. The system cannot perform user group control if the server organizes the users in basic object hierarchy.
The directory server must use the field names listed in the following table in order for the system to retrieve user metadata from the servers for that field.
Active Directory Field
LDAP user name
userprincipalname (if mail has no value)
distinguishedname (if department has no value)
Determining the Directory Base DN
When you configure directory properties, you need to specify the common base distinguished name (DN) for users and groups. The base is defined in your directory server, and differs from network to network. You must enter the correct bases for identity policies to work. If the base is wrong, the system cannot determine user or group names, and thus identity-based policies will be inoperable.
To get the correct bases, consult the administrator who is responsible for the directory servers.
For active directory, you can determine the correct bases by logging into the Active Directory server as domain administrator, and using the dsquery command at a command prompt as follows to determine the bases:
- User search base
Enter the dsquery user command with a known username (partial or complete) to determine the base distinguished name. For example, the following command uses the partial name “John*” to return information for all users that start with “John.”
C:\Users\Administrator>dsquery user -name “John*” “CN=John Doe,CN=Users,DC=csc-lab,DC=example,DC=com”
The base DN would be “DC=csc-lab,DC=example,DC=com.”
- Group search base
Enter the dsquery group command with a known group name to determine the base distinguished name. For example, the following command uses the group name Employees to return the distinguished name:
C:\>dsquery group -name “Employees” “CN=Employees,CN=Users,DC=csc-lab,DC=example,DC=com”
The group base DN would be “DC=csc-lab,DC=example,DC=com.”
You can also use the ADSI Edit program to browse the Active Directory structure (Properties to view the distinguished name. You can then copy the string of DC values as the base.). In ADSI Edit, right click any object, such as an organizational unit (OU), group, or user, and choose
To verify that you have the correct base:
Click the Test Connection button in the directory properties to verify connectivity. Resolve any problems, and save the directory properties.
Commit changes to the device.
Create an access rule, select the Users tab, and try to add known user and group names from the directory. You should see auto-complete suggestions as you type for matching users and groups in the realm that contains the directory. If these suggestions appear in a drop-down list, then the system was able to query the directory successfully. If you see no suggestions, and you are certain the string you typed should appear in a user or group name, you need to correct the corresponding search base.
Dealing with Unknown Users
When you configure the directory server for the identity policy, the system downloads user and group membership information from the directory server. This information is refreshed every 24 hours at midnight, or whenever you edit and save the directory configuration (even if you do not make any changes).
If a user succeeds in authenticating when prompted by an active authentication identity rule, but the user’s name is not in the downloaded user identity information, the user is marked as Unknown. You will not see the user’s ID in identity-related dashboards, nor will the user match group rules.
However, any access control rules for the Unknown user will apply. For example, if you block connections for Unknown users, these users are blocked even though they succeeded in authenticating (meaning that the directory server recognizes the user and the password is valid).
Thus, when you make changes to the directory server, such as adding or deleting users, or changing group membership, these changes are not reflected in policy enforcement until the system downloads the updates from the directory.
If you do not want to wait until the daily midnight update, you can force an update by editing the directory server information (from Directory Server button). Click Save, then deploy changes. The system will immediately download the updates., click the
You can check whether new or deleted user information is on the system by going to Add Rule (+) button, and looking at the list of users on the Users tab. If you cannot find a new user, or you can find a deleted user, then the system has old information., clicking the