The following fields are used to configure a realm.

Realm Configuration Fields

These settings apply to all Active Directory servers or domain controllers (also referred to as directories) in a realm.

Name

A unique name for the realm. The system supports alphanumeric and special characters.

Description

(Optional.) Enter a description of the realm.

Type

The type of realm, AD for Microsoft Active Directory or LDAP for other supported LDAP repositories. For a list of supported LDAP repositories, see Supported Servers for Realms. You can authenticate captive portal users with an LDAP repository; all others require Active Directory.

Note	Only captive portal supports an LDAP realm.

AD Primary Domain

For Microsoft Active Directory realms only. Domain for the Active Directory server where users should be authenticated.

Note

You must specify a unique AD Primary Domain for every Microsoft Active Directory (AD) realm. Although the system allows you to specify the same AD Primary Domain for different AD realms, the system won't function properly. This happens because system assigns a unique ID to every user and group in each realm; therefore, the system cannot definitively identify any particular user or group. The system prevents you from specifying more than one realm with the same AD Primary Domain because users and groups won't be identified properly. This happens because system assigns a unique ID to every user and group in each realm; therefore, the system cannot definitively identify any particular user or group.

Directory Username and Directory Password

The distinguished username and password for a user with appropriate access to the user information you want to retrieve.

Note the following:

• For Microsoft Active Directory, the user does not need elevated privileges. You can specify any user in the domain.

• For OpenLDAP, the user's access privileges are determined by the <level> parameter discussed in section 8 of the OpenLDAP specification. The user's <level> should be auth or better.

• The user name must be fully qualified (for example, administrator@mydomain.com, not administrator).

Note

The SHA-1 hash algorithm is not secure for storing passwords on your Active Directory server and should not be used. For more information, consult a reference such as Migrating your Certification Authority Hashing Algorithm from SHA1 to SHA2 on Microsoft TechNet or Password Storage Cheat Sheet on the Open Web Application Security Project website.

Base DN

The directory tree on the server where the Firepower Management Center should begin searching for user data.

Typically, the base distinguished name (DN) has a basic structure indicating the company domain name and operational unit. For example, the Security organization of the Example company might have a base DN of ou=security,dc=example,dc=com.

Group DN

The directory tree on the server where the Firepower Management Center should search for users with the group attribute. A list of supported group attributes is shown in Supported Server Object Class and Attribute Names.

Note

Following is the list of characters the Firepower System supports in users, groups, DNs in your directory server. Using any characters other than the following could result in the Firepower System failing to download users and groups. Entity Supported characters User name a-z A-Z 0-9 ! # $ % ^ & ( ) _ - { } ' . ~ ` Group name a-z A-Z 0-9 ! # $ % ^ & ( ) _ - { } ' . ~ ` Base DN and Group DN a-z A-Z 0-9 ! @ $ % ^ & * ( ) _ - . ~ ` [ ]

Group Attribute

(Optional.) The group attribute for the server, Member or Unique Member.

The following fields are available when you edit an existing realm.

User Session Timeout

Enter the number of minutes before user sessions time out. The default is 1440 (24 hours) after the user's login event. After the timeout is exceeded, the user's session ends; if the user continues to access the network without logging in again, the user is seen by the Firepower Management Center as Unknown.

Note	The user session timeout values apply to both active authentication (captive portal) and passive authentication ( user agent, ISE). Setting a large value might prevent user sessions from ending, resulting in those sessions being claimed by other users.

Realm Directory Fields

These settings apply to individual servers (such as Active Directory domain controllers) in a realm.

Hostname / IP Address

Fully qualified host name of the Active Directory domain controller machine. To find the fully qualified name, see Find the Active Directory Server's Name.

Port

The port to use for the Firepower Management Center-controller connection.

Encryption

(Strongly recommended.) The encryption method to use for the Firepower Management Center-server connection:

• STARTTLS—encrypted LDAP connection

• LDAPS—encrypted LDAP connection

• None—unencrypted LDAP connection (unsecured traffic)

To communicate securely with an Active Directory server, see Connect Securely to Active Directory.

SSL Certificate

The SSL certificate to use for authentication to the server. You must configure STARTTLS or LDAPS as the Encryption type in order to use an SSL certificate.

If you are using a certificate to authenticate, the name of the server in the certificate must match the server Hostname / IP Address. For example, if you use 10.10.10.250 as the IP address but computer1.example.com in the certificate, the connection fails.

User Download Fields

AD Primary Domain

For Microsoft Active Directory realms only. Domain for the Active Directory server where users should be authenticated.

Note

You must specify a unique AD Primary Domain for every Microsoft Active Directory (AD) realm. Although the system allows you to specify the same AD Primary Domain for different AD realms, the system won't function properly. This happens because system assigns a unique ID to every user and group in each realm; therefore, the system cannot definitively identify any particular user or group. The system prevents you from specifying more than one realm with the same AD Primary Domain because users and groups won't be identified properly. This happens because system assigns a unique ID to every user and group in each realm; therefore, the system cannot definitively identify any particular user or group.

Download users and groups (required for user access control)

Enables you to download users and groups for user awareness and user control.

Begin automatic download at, Repeat every

Specifies the frequency of the automatic downloads.

Download Now

Click to synchronize groups and users with AD.

Available Groups, Add to Include, Add to Exclude

Limits the groups that can be used in policy.

• Groups that are displayed in the Available Groups field are available for policy unless you move groups to the Add to Include or Add to Exclude field.

• If you move groups to the Add to Include field, only those groups are downloaded and user data is available for user awareness and user control.

• If you move groups to the Add to Exclude field, all groups except these are downloaded and available for user awareness and user control.

• To include users from groups that are not included, enter the user name in the field below Groups to Include and click Add.

• To exclude users from groups that are not excluded, enter the user name in the field below Groups to Exclude and click Add.

  Note	The users that are downloaded to the Firepower Management Center is calculated using the formula R = I - (E+e) + i , where R is list of downloaded users I is included groups E is excluded groups e is excluded users i is included users

Begin automatic download at

Enter the time and time interval at which to download users and groups from AD.

Use the following fields to configure identity rules.

Enabled

Choosing this option enables the identity rule in the identity policy. Deselecting this option disables the identity rule.

Action

Specify the type of authentication you want to perform on the users in the specified realm: Passive Authentication (default), Active Authentication, or No Authentication. You must fully configure the authentication method, or identity source, before selecting it as the action in an identity rule.

Caution

Adding the first or removing the last active authentication rule when SSL decryption is disabled (that is, when the access control policy does not include an SSL policy) restarts the Snort process when you deploy configuration changes, temporarily interrupting traffic inspection. Whether traffic drops during this interruption or passes without further inspection depends on how the target device handles traffic. See Snort® Restart Traffic Behavior for more information. Note that an active authentication rule has either an Active Authentication rule action, or a Passive Authentication rule action with Use active authentication if passive authentication cannot identify user selected.

For information about which passive and active authentication methods are supported in your version of the Firepower System, see About User Identity Sources.

Realm

The realm containing the users you want to perform the specified Action on. You must fully configure a realm before selecting it as the realm in an identity rule.

Use active authentication if passive authentication cannot identify user

Selecting this option authenticates users using captive portal active authentication if a passive or a VPN authentication fails to identify them. You must configure captive portal active authentication in your identity policy in order to select this option.

If you disable this option, users that do not have a VPN identity or that passive authentication cannot identify are identified as Unknown.

Identify as Special Identities/Guest if authentication cannot identify user

This field is displayed only if you configure Active Authentication (that is, captive portal authentication) as the rule Action.

Authentication Type

The method to use to perform captive portal active authentication. The selections vary depending on the type of realm, LDAP or AD:

• Choose HTTP Basic if you want to authenticate users using an unencrypted HTTP Basic Authentication (BA) connection. Users log in to the network using their browser's default authentication popup window.

  Most web browsers cache the credentials from HTTP Basic logins and use the credentials to seamlessly begin a new session after an old session times out.

• Choose NTLM to authenticate users using a NT LAN Manager (NTLM) connection. This selection is available only when you select an AD realm. If transparent authentication is configured in a user's browser, the user is automatically logged in. If transparent authentication is not configured, users log in to the network using their browser's default authentication popup window.

• Choose HTTP Negotiate to allow the captive portal server to choose between HTTP Basic or NTLM for the authentication connection. This selection is available only when you select an AD realm.

  Note

  If you are creating an identity rule to perform HTTP Negotiate captive portal and you have DNS resolution configured, you must configure your DNS server to resolve the fully qualified domain name (FQDN) of the captive portal device. The FQDN must match the hostname you provided when configuring DNS. For ASA with FirePOWER Services , the FQDN must resolve to the IP address of the routed interface used for captive portal.