Order, select where you want to insert the rule in
the ordered list of rules.
applied on a first-match basis, so you must ensure that rules with highly
specific traffic matching criteria appear above policies that have more general
criteria that would otherwise apply to the matching traffic.
The default is
to add the rule to the end of the list. If you want to change a rule's location
later, edit this option.
Authentication only.) Select the authentication method (Type) supported
by your directory server.
Basic—Authenticate users using an unencrypted HTTP Basic
Authentication (BA) connection. Users log in to the network using their
browser's default authentication popup window. This is the default.
users using an NT LAN Manager (NTLM) connection. This selection is only
available when you select an AD realm. Users log in to the network using their
browser's default authentication popup window, although you can configure IE
and Firefox browsers to transparently authenticate using their Windows domain
Enabling Transparent User Authentication).
Negotiate—Allow the device to negotiate the method between the user
agent (the application the user is using to initiate the traffic flow) and the
Active Directory server. Negotiation results in the strongest commonly
supported method being used, in order, NTLM, then basic. Users log in to the
network using their browser's default authentication popup window.
- HTTP Response
Page—Prompt users to authenticate using a system-provided web page.
This is a form of HTTP Basic authentication.
the HTTP Basic, HTTP Response Page, and NTLM authentication methods, the user
is redirected to the captive portal using the IP address of the interface.
However, for HTTP Negotiate, the user is redirected using the fully-qualified
firewall-hostname.AD-domain-name. If you want to
use HTTP Negotiate, you must also update your DNS server to map this name to
the IP addresses of all inside interfaces where you are requiring active
authentication. Otherwise, the redirection cannot complete, and users cannot
traffic matching criteria on the
Keep in mind
that active authentication will be attempted with HTTP traffic only. Therefore,
there is no need to configure No Auth rules for non-HTTP traffic, and there is
no point in creating Active Authentication rules for any non-HTTP traffic.
Source/Destination criteria of an identity rule define the security zones
(interfaces) through which the traffic passes, the IP addresses or the country
or continent (geographical location) for the IP address, or the protocols and
ports used in the traffic. The default is any zone, address, geographical
location, protocol, and port.
To modify a
condition, you click the
+ button within that condition, select the desired
object or element, and click
OK in the popup dialog box. If the criterion
requires an object, you can click
Object if the object you require does not
exist. Click the
x for an object or element to remove it from the
configure the following traffic matching criteria.
Zones, Destination Zones
security zone objects that define the interfaces through which the traffic
passes. You can define one, both, or neither criteria: any criteria not
specified applies to traffic on any interface.
match traffic leaving the device from an interface in the zone, add that zone
match traffic entering the device from an interface in the zone, add that zone
you add both source and destination zone conditions to a rule, matching traffic
must originate from one of the specified source zones and egress through one of
the destination zones.
criteria when the rule should apply based on where the traffic enters or exits
the device. For example, if you want to ensure that user identity is collected
from all traffic originating from inside networks, select an inside zone as the
Source Zones while leaving the destination zone
Networks, Destination Networks
network objects or geographical locations that define the network addresses or
locations of the traffic.
match traffic from an IP address or geographical location, configure the
match traffic to an IP address or geographical location, configure the
you add both source and destination network conditions to a rule, matching
traffic must originate from one of the specified IP addresses and be destined
for one of the destination IP addresses.
add this criteria, you select from the following tabs:
Network—Select the network objects or groups that
define the source or destination IP addresses for the traffic you want to
Geolocation—Select the geographical location to
control traffic based on its source or destination country or continent.
Selecting a continent selects all countries within the continent. Besides
selecting geographical location directly in the rule, you can also select a
geolocation object that you created to define the location. Using geographical
location, you could easily restrict access to a particular country without
needing to know all of the potential IP addresses used there.
ensure you are using up-to-date geographical location data to filter your
traffic, Cisco strongly recommends that you regularly update the geolocation
Ports, Destination Ports/Protocols
objects that define the protocols used in the traffic. For TCP/UDP, this can
match traffic from a protocol or port, configure the
Source Ports. Source ports can be TCP/UDP only.
match traffic to a protocol or port, configure the
match traffic both originating from specific TCP/UDP ports and destined for
specific TCP/UDP ports, configure both. If you add both source and destination
ports to a condition, you can only add ports that share a single transport
protocol, TCP or UDP. For example, you could target traffic from port TCP/80 to