- Cisco ASA with FirePOWER Services Local Management Configuration Guide
- Introduction to the Cisco ASA FirePOWER Module
- Managing Reusable Objects
- Managing Device Configuration
- Getting Started with Access Control Policies
- Blacklisting Using Security Intelligence IP Address Reputation
- Tuning Traffic Flow Using Access Control Rules
- Controlling Traffic with Network-Based Rules
- Controlling Traffic with Reputation-Based Rules
- Controlling Traffic Based on Users
- Controlling Traffic Using Intrusion and File Policies
- Intelligent Application Bypass
- Understanding Traffic Decryption
- Getting Started with SSL Policies
- Getting Started with SSL Rules
- Tuning Traffic Decryption Using SSL Rules
- Understanding Network Analysis and Intrusion Policies
- Using Layers in a Network Analysis or Intrusion Policy
- Customizing Traffic Preprocessing
- Getting Started with Network Analysis Policies
- Using Application Layer Preprocessors
- Configuring SCADA Preprocessing
- Configuring Transport & Network Layer Preprocessing
- Tuning Preprocessing in Passive Deployments
- Getting Started with Intrusion Policies
- Tuning Intrusion Policies Using Rules
- Detecting Specific Threats
- Globally Limiting Intrusion Event Logging
- Understanding and Writing Intrusion Rules
- Introduction to Identity Data
- Realms and Identity Policies
- User Identity Sources
- DNS Policies
- Blocking Malware and Prohibited Files
- Logging Connections in Network Traffic
- Viewing Events
- Configuring External Alerting
- Configuring External Alerting for Intrusion Rules
- Using the ASA FirePOWER Dashboard
- Using ASA FirePOWER Reporting
- Scheduling Tasks
- Managing System Policies
- Configuring ASA FirePOWER Module Settings
- Licensing the FireSIGHT System ASA FirePOWER Module
- Updating ASA FirePOWER Module Software
- Monitoring the System
- Using Backup and Restore
- Generating Troubleshooting Files
- Importing and Exporting Configurations
- Viewing the Status of Long-Running Tasks
- Security, Internet Access, and Communication Ports
User Identity Sources
The ASA FirePOWER module supports the following identity sources:
- Authoritative User Agent reporting collects user data for user awareness and user access control. If you want to configure User Agents to monitor users when they log in and out of hosts or authenticate with Active Directory credentials, see The User Agent Identity Source.
- Authoritative Identity Services Engine (ISE) reporting collects user data for user awareness and user access control. If you have an ISE deployment and you want to configure ISE to monitor users as they authenticate via Active Directory domain controllers (DC), see The Identity Services Engine (ISE) Identity Source.
- Authoritative captive portal authentication actively authenticates users on your network and collects user data for user awareness and user control. If you want to configure virtual routers or Firepower Threat Defense devices to perform captive portal authentication, see The Captive Portal Identity Source.
Data from those identity sources is stored in the ASA FirePOWER module users database and the user activity database.You can configure database-server queries to automatically download new data to your module.
For more information about user detection in the ASA FirePOWER module, see User Detection Fundamentals.
Troubleshooting Issues with User Identity Sources
See the following sections for information about troubleshooting issues with your identity sources.
If you experience issues with the User Agent connection, see the Firepower User Agent Configuration Guide .
If you experience issues with user data reported by the User Agent, note the following:
- After the system detects activity from a User Agent user whose data is not yet in the database, the system retrieves information about them from the server. In some cases, the system requires up to 60 minutes to successfully retrieve this information from Active Directory servers. Until the data retrieval succeeds, activity seen by the User Agent user is handled by access control rules, and is not displayed in the web interface.
If you experience issues with the ISE connection, check the following:
- The pxGrid Identity Mapping feature within ISE must be enabled before you can successfully integrate ISE with the Firepower System.
- All ISE system certificates and Firepower Management Center certificates must include the serverAuth and clientAuth extended key usage values.
- The time on your ISE device must be synchronized with the time on the Firepower Management Center. If the appliances are not synchronized, the system may perform user timeouts at unexpected intervals.
- If your deployment includes a primary and a secondary pxGrid node, the certificates for both nodes must be signed by the same certificate authority.
- If your deployment includes a primary and a secondary MNT node, the certificates for both nodes must be signed by the same certificate authority.
If you experience issues with user data reported by ISE, note the following:
- After the system detects activity from an ISE user whose data is not yet in the database, the system retrieves information about them from the server. In some cases, the system requires up to 60 minutes to successfully retrieve this information from Active Directory servers. Until the data retrieval succeeds, activity seen by the ISE user is handled by access control rules, and is not displayed in the web interface.
If you experience issues with captive portal authentication, note the following:
- After a captive portal user enters their login credentials, the system checks their credentials against the data in the server. In some cases, if the user’s data was not yet in the database, the system requires up to 60 minutes to successfully retrieve this information from Active Directory servers. Until the data retrieval succeeds, the captive portal user is not authenticated.
If the captive portal user is not authenticated after 25 seconds, the system displays an error message and the captive portal user’s session times out. The user must retry their captive portal login.
The User Agent Identity Source
The User Agent is a passive authentication method and one of the authoritative identity sources supported by the ASA FirePOWER module. When integrated with the ASA FirePOWER module, the agent monitors users when they log in and out of hosts or authenticate with Active Directory credentials. The User Agent does not report failed login attempts. The data gained from the User Agent can be used for user awareness and user control. You invoke passive authentication in your identity policy.
Installing and using User Agents allows you to perform user control; the agents associate users with IP addresses, which allows access control rules with user conditions to trigger. You can use one agent to monitor user activity on up to five Active Directory servers.
The User Agent requires a multi-step configuration, and includes the following:
- Computers or servers with the agent installed.
- Connections between an ASA FirePOWER module and the computers or Active Directory servers with the agent installed.
- Connections between the ASA FirePOWER module and the monitored LDAP servers, configured as directories within identity realms.
You can install an agent on any computer or server running:
- Microsoft Windows Vista
- Microsoft Windows 7
- Microsoft Windows 8
- Microsoft Windows Server 2003
- Microsoft Windows Server 2008
- Microsoft Windows Server 2012
The computer must also have TCP/IP access to the device and the Microsoft Active Directory servers you want to monitor. You can also install an agent on any Active Directory server running one of the supported operating systems. If you want to perform real-time data retrieval, the server must be running Windows Server 2008 or Windows Server 2012.
For detailed information about the multi-step User Agent configuration and a complete discussion of the server requirements, see the User Agent Configuration Guide .
The ASA FirePOWER module connection not only allows you to retrieve metadata for the users whose logins and logoffs were detected by User Agents, but also is used to specify the users and groups you want to use in access control rules. If the agent is configured to exclude specific user names, login data for those user names are not reported to the ASA FirePOWER module. User agent data is stored in the user database and user activity database on the device.
Note User Agents cannot transmit Active Directory user names ending with the $ character to the ASA FirePOWER module. You must remove the final $ character if you want to monitor these users.
If multiple users are logged into a host using remote sessions, the agent may not detect logins from that host properly. For information about how to prevent this, see the User Agent Configuration Guide .
Configuring a User Agent Connection
- If you plan to implement user access control, configure and enable an Active Directory realm for your User Agent connection as described in Creating a Realm
To configure a User Agent Connection:
Step 1 Select Configuration > ASA FirePOWER Configuration > Integration > Identity Sources .
Step 2 Select User Agent for the Service Type to enable the User Agent connection.
Note To disable the connection, select None.
Step 3 Click the Add New Agent button to add a new agent.
Step 4 Type the Hostname or Address of the computer where you plan to install the agent. You must use an IPv4 address; you cannot configure the ASA FirePOWER module to connect to a User Agent using an IPv6 address.
Step 6 To delete a connection, click the delete icon (
) and confirm that you want to delete it.
The Identity Services Engine (ISE) Identity Source
The pxGrid Identity Mapping feature within the Cisco Identity Services Engine (ISE) is a passive authentication method and one of the authoritative identity sources supported by the ASA FirePOWER module. When integrated with the ASA FirePOWER module, this ISE feature monitors users as they authenticate via Active Directory domain controllers (DC).
Note The ASA FirePOWER module does not support 802.1x machine authentication alongside AD authentication because the system does not associate machine authentication with users. If you use 802.1x active logins, configure ISE to report only 802.1x active logins (both machine and user). That way, a machine login is reported only once to the system.
ISE does not report failed login attempts. The data gained from ISE can be used on the ASA FirePOWER module for user awareness and user control. You invoke passive authentication in your identity policy.
Caution If you configure ISE to monitor a large number of user groups, the system may drop user mappings based on groups, due to memory limitations. As a result, access control rules with realm or user conditions may not fire as expected.
Note Make sure the time on your ISE device is synchronized with the time on the ASA FirePOWER module. If the appliances are not synchronized, the system may perform user timeouts at unexpected intervals.
Configuring an ISE connection also populates the ASA FirePOWER module database with ISE attribute data: Security Group Tag (SGT) , Endpoint Profile , and Endpoint Location . ISE attributes can be used for user awareness and in access control rule conditions.
The SGT attribute is applied by Cisco TrustSec as packets enter trusted TrustSec networks. With ISE configured, the module identifies users and their SGT, which you can use for access control.
The Endpoint Location attribute is applied by Cisco ISE and identifies the IP address of the endpoint device.
The Endpoint Profile attribute is applied by Cisco ISE and identifies the endpoint device type for each packet.
For more information about the Cisco ISE product, see the Cisco Identity Services Engine Administrator Guide .
ISE Fields
The following fields are used to configure a connection to ISE.
Primary and Secondary Host Name/IP Address
The hostname or IP address for the primary and, optionally, the secondary ISE servers.
The certificate authority for the pxGrid framework. If your deployment includes a primary and a secondary pxGrid node, the certificates for both nodes must be signed by the same certificate authority.
The certificate authority for the ISE certificate when performing bulk downloads. If your deployment includes a primary and a secondary MNT node, the certificates for both nodes must be signed by the same certificate authority.
The certificate and key that the ASA FirePOWER module should provide to ISE when connecting to ISE or performing bulk downloads.
An optional filter you can set to restrict the networks monitored by ISE. If you provide a filter, ISE monitors the networks within that filter. You can specify a filter in the following ways:
– Leave the field blank to specify any.
– Enter a single IPv4 address block using CIDR notation.
– Enter a list of IPv4 address blocks using CIDR notation, separated by commas.
Configuring an ISE Connection
To configure a User Agent Connection:
Step 1 Select Configuration > ASA FirePOWER Configuration > Integration > Identity Sources .
Step 2 Select Identity Services Engine for the Service Type to enable the ISE connection.
Note To disable the connection, select None.
Step 3 Type a Primary Host Name/IP Address and, optionally, a Secondary Host Name/IP Address .
Step 4 Select the appropriate certificates from the
pxGrid Server CA
,
MNT Server CA
, and
MC Server Certificate
drop-down lists. Optionally, click the add icon (
) to create an object on the fly.
Step 5 Optionally, type an ISE Network Filter using CIDR block notation.
Step 6 If you want to test the connection, click Test .
The Captive Portal Identity Source
Captive portal is one of the authoritative identity sources supported by the ASA FirePOWER module. It is the only active authentication method supported by the ASA FirePOWER module, where users can authenticate onto the network through a device.
Active authentication using captive portal is performed on HTTP and HTTPS traffic only. To use captive portal with HTTPS traffic, you must create SSL rules to decrypt the traffic originating from the users you want to authenticate using captive portal.
When configured and deployed, users from specified realms authenticate through ASA FirePOWER devices in routed mode running Version 9.5(2) or later. The authentication data gained from captive portal can be used for user awareness and user control.
Captive portal also records failed authentication attempts. A failed attempt does not add a new user to the list of users in the database. The user activity type for failed authentication activity reported by captive portal is Failed Auth User .
You use the
captive-portal
ASA CLI command to enable captive portal for active authentication as described in the
ASA Firewall Configuration Guide
for your version:
http://www.cisco.com/c/en/us/support/security/asa-5500-series-next-generation-firewalls/products-installation-and-configuration-guides-list.html
. You continue configuring captive portal in your identity policy and invoke it (active authentication) in your identity rules. Identity policies are invoked in your access control policies. For more information, see Configuring Captive Portal (Active Authentication)
Captive portal can e performed only by a device with one or more routed interfaces configured.
The system does not validate the type of interface in ASA with FirePOWER devices. If you apply a captive portal policy to an inline (tap mode) interface on an ASA with FirePOWER device, the policy deployment succeeds but users in traffic matching those rules are identified as Unknown.
Note the following access control rule and SSL rule requirements:
- You must create an access control rule to allow traffic destined for the IP address and port you plan to use for captive portal. Traffic cannot be authenticated using captive portal if the destination port is not allowed in your access control policy.
- If you want to perform active authentication via captive portal on HTTPS traffic, you must create SSL rules to decrypt the traffic originating from the users you want to authenticate using captive portal.
- If you want to decrypt traffic in the captive portal connection, you must create an SSL rule to decrypt the traffic destined for the port you plan to use for captive portal.
, ASA FirePOWER Module-Server Downloads
Connections between the ASA FirePOWER module and your LDAP or AD servers allow you to retrieve user and user group metadata for certain detected users:
- LDAP and AD users authenticated by captive portal or reported by a User Agent or ISE. This metadata can be used for user awareness and user control.
- POP3 and IMAP user logins detected by traffic-based detection, if those users have the same email address as an LDAP or AD user. This metadata can be used for user awareness.
You configure an ASA FirePOWER module user database-server connection as a directory within a realm. You must select the Download users and user groups for access control check box to download a realm's user and user group data for user awareness and user control.
The ASA FirePOWER module obtains the following information and metadata about each user:
Feedback