Identity Policy Overview
You can use identity policies to detect the user who is associated with a connection. By identifying the user, you can correlate threat, endpoint, and network intelligence with user identity information. By linking network behavior, traffic, and events directly to individual users, the system can help you identify the source of policy breaches, attacks, or network vulnerabilities.
For example, you can identify who owns the host targeted by an intrusion event, and who initiated an internal attack or port scan. You can also identify high bandwidth users and users who are accessing undesirable web sites or applications.
User detection goes beyond collecting data for analysis. You can also write access rules based on user name or user group name, selectively allowing or blocking access to resources based on user identity.
You can obtain user identity using the following methods:
Passive authentication—For all types of connections, obtain user identity from other authentication services without prompting for username and password.
Active authentication—For HTTP connections only, prompt for username and password and authenticate against the specified identity source to obtain the user identity for the source IP address.
The following topics provide more information on user identity.
Establishing User Identity Through Passive Authentication
Passive authentication gathers user identity without prompting the user for username and password. The system obtains the mappings from the identity sources you specify.
You can passively obtain user-to-IP address mappings from the following sources:
Remote access VPN logins. The following user types are supported for passive identity:
User accounts defined in an external authentication server.
Local user accounts that are defined in Firepower Device Manager.
Cisco Identity Services Engine (ISE); Cisco Identity Services Engine Passive Identity Connector (ISE PIC).
If a given user is identified through more than one source, the RA VPN identity takes precedence.
Establishing User Identity through Active Authentication
Authentication is the act of confirming the identity of a user.
With active authentication, when an HTTP traffic flow comes from an IP address for which the system has no user-identity mapping, you can decide whether to authenticate the user who initiated the traffic flow against the directory configured for the system. If the user successfully authenticates, the IP address is considered to have the identity of the authenticated user.
Failure to authenticate does not prevent network access for the user. Your access rules ultimately decide what access to provide these users.
Dealing with Unknown Users
When you configure the directory server for the identity policy, the system downloads user and group membership information from the directory server. This information is refreshed every 24 hours at midnight, or whenever you edit and save the directory configuration (even if you do not make any changes).
If a user succeeds in authenticating when prompted by an active authentication identity rule, but the user’s name is not in the downloaded user identity information, the user is marked as Unknown. You will not see the user’s ID in identity-related dashboards, nor will the user match group rules.
However, any access control rules for the Unknown user will apply. For example, if you block connections for Unknown users, these users are blocked even though they succeeded in authenticating (meaning that the directory server recognizes the user and the password is valid).
Thus, when you make changes to the directory server, such as adding or deleting users, or changing group membership, these changes are not reflected in policy enforcement until the system downloads the updates from the directory.
If you do not want to wait until the daily midnight update, you can force an update by editing the directory realm information (from Save, then deploy changes. The system will immediately download the updates., then edit the realm ). Click
You can check whether new or deleted user information is on the system by going to Add Rule (+) button, and looking at the list of users on the Users tab. If you cannot find a new user, or you can find a deleted user, then the system has old information., clicking the