- Introduction to the Cisco ASA FirePOWER Module
- Managing Reusable Objects
- Managing Device Configuration
- Getting Started with Access Control Policies
- Blacklisting Using Security Intelligence IP Address Reputation
- Tuning Traffic Flow Using Access Control Rules
- Controlling Traffic with Network-Based Rules
- Controlling Traffic with Reputation-Based Rules
- Access Control Rules: Realms and Users
- Access Control Rules: Custom Security Group Tags
- Controlling Traffic Using Intrusion and File Policies
- Intelligent Application Bypass
- Access Control Using Content Restriction
- Understanding Traffic Decryption
- Getting Started with SSL Policies
- Getting Started with SSL Rules
- Tuning Traffic Decryption Using SSL Rules
- Understanding Network Analysis and Intrusion Policies
- Using Layers in a Network Analysis or Intrusion Policy
- Customizing Traffic Preprocessing
- Getting Started with Network Analysis Policies
- Using Application Layer Preprocessors
- Configuring SCADA Preprocessing
- Configuring Transport & Network Layer Preprocessing
- Access Control Policies: Adaptive Profiles
- Getting Started with Intrusion Policies
- Tuning Intrusion Policies Using Rules
- Detecting Specific Threats
- Globally Limiting Intrusion Event Logging
- Understanding and Writing Intrusion Rules
- Introduction to Identity Data
- Realms and Identity Policies
- User Identity Sources
- DNS Policies
- Blocking Malware and Prohibited Files
- Logging Connections in Network Traffic
- Viewing Events
- Configuring External Alerting
- Configuring External Alerting for Intrusion Rules
- Using the ASA FirePOWER Dashboard
- Using ASA FirePOWER Reporting
- Scheduling Tasks
- Managing System Policies
- Configuring ASA FirePOWER Module Settings
- Licensing the ASA FirePOWER Module
- Updating ASA FirePOWER Module Software
- Monitoring the System
- Using Backup and Restore
- Generating Troubleshooting Files
- Importing and Exporting Configurations
- Viewing the Status of Long-Running Tasks
- Security, Internet Access, and Communication Ports
User Identity Sources
The ASA FirePOWER module supports the following identity sources:
- Authoritative User Agent reporting collects user data for user awareness and user access control. If you want to configure User Agents to monitor users when they log in and out of hosts or authenticate with Active Directory credentials, see The User Agent Identity Source.
- Authoritative Identity Services Engine (ISE) reporting collects user data for user awareness and user access control. If you have an ISE deployment and you want to configure ISE to monitor users as they authenticate via Active Directory domain controllers (DC), see The Identity Services Engine (ISE) Identity Source.
- Authoritative captive portal authentication actively authenticates users on your network and collects user data for user awareness and user control. If you want to configure virtual routers or Firepower Threat Defense devices to perform captive portal authentication, see The Captive Portal Active Authentication Identity Source.
Data from those identity sources is stored in the ASA FirePOWER module users database and the user activity database.You can configure database-server queries to automatically download new data to your module.
For more information about user detection in the ASA FirePOWER module, see User Detection Fundamentals.
Troubleshooting Issues with User Identity Sources
See the following sections for information about troubleshooting issues with your identity sources.
If you experience issues with the User Agent connection, see the Firepower User Agent Configuration Guide .
If you experience issues with user data reported by the User Agent, note the following:
- After the system detects activity from a User Agent user whose data is not yet in the database, the system retrieves information about them from the server. In some cases, the system requires up to 60 minutes to successfully retrieve this information from Active Directory servers. Until the data retrieval succeeds, activity seen by the User Agent user is handled by access control rules, and is not displayed in the web interface.
If you experience issues with the ISE connection, check the following:
- The pxGrid Identity Mapping feature within ISE must be enabled before you can successfully integrate ISE with the Firepower System.
- All ISE system certificates and Firepower Management Center certificates must include the serverAuth and clientAuth extended key usage values.
- The time on your ISE device must be synchronized with the time on the Firepower Management Center. If the appliances are not synchronized, the system may perform user timeouts at unexpected intervals.
- If your deployment includes a primary and a secondary pxGrid node, the certificates for both nodes must be signed by the same certificate authority.
- If your deployment includes a primary and a secondary MNT node, the certificates for both nodes must be signed by the same certificate authority.
- If you updated to Version 6.1.x from Version 6.0.x and you are experiencing issues with your ISE connection, check your pxGrid server certificate. Version 6.1 is compliant with RFC6125-6.4.4, which states that certificate CNs should be ignored if there are SAN values specified. If the pxGrid server certificate in your ISE deployment is configured with a CN value and one or more SAN values, remove the CN value and add it as an additional SAN.
If you experience issues with user data reported by ISE, note the following:
- After the system detects activity from an ISE user whose data is not yet in the database, the system retrieves information about them from the server. In some cases, the system requires up to 60 minutes to successfully retrieve this information from Active Directory servers. Until the data retrieval succeeds, activity seen by the ISE user is handled by access control rules, and is not displayed in the web interface.
- You cannot perform user control on ISE users who were authenticated by an LDAP, RADIUS, or RSA domain controller.
- The ASA FirePOWER module does not receive user data for ISE Guest Services users.
- Your ISE version and configuration impact how you can use ISE in the Firepower System. For more information, see The Identity Services Engine (ISE) Identity Source.
If you experience issues with captive portal authentication, note the following:
- The time on your captive portal server must be synchronized with the time on the ASA FirePOWER module.
- If you have DNS resolution configured and you create an identity rule to perform Kerberos (or HTTP Negotiate, if you want Kerberos as an option) captive portal, you must configure your DNS server to resolve the hostname of the captive portal device. The hostname of the device you are using for captive portal must match the host name you provided when configuring DNS.
- If you select Kerberos (or HTTP Negotiate, if you want Kerberos as an option) as the Authentication Type in an identity rule, the Realm you select must be configured with an AD Join Username and AD Join Password in order to perform Kerberos captive portal active authentication.
The User Agent Identity Source
The User Agent is a passive authentication method and one of the authoritative identity sources supported by the ASA FirePOWER module. When integrated with the ASA FirePOWER module, the agent monitors users when they log in and out of hosts or authenticate with Active Directory credentials. The User Agent does not report failed login attempts. The data gained from the User Agent can be used for user awareness and user control. You invoke passive authentication in your identity policy.
Installing and using User Agents allows you to perform user control; the agents associate users with IP addresses, which allows access control rules with user conditions to trigger. You can use one agent to monitor user activity on up to five Active Directory servers.
The User Agent requires a multi-step configuration, and includes the following:
- Computers or servers with the agent installed.
- Connections between an ASA FirePOWER module and the computers or Active Directory servers with the agent installed.
- Connections between the ASA FirePOWER module and the monitored LDAP servers, configured as directories within identity realms.
For detailed information about the multi-step User Agent configuration and a complete discussion of the server requirements, see the User Agent Configuration Guide .
The ASA FirePOWER module connection not only allows you to retrieve metadata for the users whose logins and logoffs were detected by User Agents, but also is used to specify the users and groups you want to use in access control rules. If the agent is configured to exclude specific user names, login data for those user names are not reported to the ASA FirePOWER module. User agent data is stored in the user database and user activity database on the device.
Note User Agents cannot transmit Active Directory user names ending with the $
character to the ASA FirePOWER module. You must remove the final $
character if you want to monitor these users.
If multiple users are logged into a host using remote sessions, the agent may not detect logins from that host properly. For information about how to prevent this, see the User Agent Configuration Guide .
Configuring a User Agent Connection
- If you plan to implement user access control, configure and enable an Active Directory realm for your User Agent connection as described in Creating a Realm
To configure a User Agent Connection:
Step 1 Select Configuration > ASA FirePOWER Configuration > Integration > Identity Sources .
Step 2 Select User Agent for the Service Type to enable the User Agent connection.
Note To disable the connection, select None.
Step 3 Click the Add New Agent button to add a new agent.
Step 4 Type the Hostname or Address of the computer where you plan to install the agent. You must use an IPv4 address; you cannot configure the ASA FirePOWER module to connect to a User Agent using an IPv6 address.
Step 6 To delete a connection, click the delete icon ( ) and confirm that you want to delete it.
The Identity Services Engine (ISE) Identity Source
The pxGrid Identity Mapping feature within the Cisco Identity Services Engine (ISE) is a passive authentication method and one of the authoritative identity sources supported by the ASA FirePOWER module. When integrated with the ASA FirePOWER module, this ISE feature monitors users as they authenticate via Active Directory domain controllers (DC). You cannot perform user control on users who were authenticated via LDAP, RADIUS, or RSA domain controllers.
ISE does not report failed login attempts or the activity of ISE Guest Services users.
Note The ASA FirePOWER module does not support 802.1x machine authentication alongside AD authentication because the system does not associate machine authentication with users. If you use 802.1x active logins, configure ISE to report only 802.1x active logins (both machine and user). That way, a machine login is reported only once to the system.
The data gained from ISE can be used on the ASA FirePOWER module for user awareness and user control. You invoke passive authentication in your identity policy.
This version of the Firepower System supports Version 1.3 and Version 2.0 of Cisco ISE. Your ISE version and configuration impact how you can use ISE in the Firepower System. For example, version 2.0 patch 4 of ISE includes support for IPv6-enabled endpoints. If you are running Version 1.3 of ISE, you cannot gather user identity data or perform remediations on IPv6-enabled endpoints.
Note Make sure the time on your ISE device is synchronized with the time on the ASA FirePOWER module. If the appliances are not synchronized, the system may perform user timeouts at unexpected intervals.
Configuring an ISE connection also populates the ASA FirePOWER module database with ISE attribute data: Security Group Tag (SGT) , Endpoint Profile , and Endpoint Location . ISE attributes can be used for user awareness and in access control rule conditions.
The Security Group Tag (SGT) specifies the privileges of a traffic source within a trusted network. Security Group Access (a feature of both Cisco TrustSec and Cisco ISE) automatically generates the SGT when a user adds a security group in TrustSec or ISE. SGA then applies the SGT attribute as packets enter the network. You can use SGTs for access control by configuring ISE as an identity source or creating custom SGT objects. For more information, see ISE SGT v. Custom SGT Rule Conditions.
The Endpoint Location attribute is applied by Cisco ISE and identifies the IP address of the endpoint device.
The Endpoint Profile attribute is applied by Cisco ISE and identifies the endpoint device type for each packet.
For more information about the Cisco ISE product, see the Cisco Identity Services Engine Administrator Guide .
ISE Fields
The following fields are used to configure a connection to ISE.
Primary and Secondary Host Name/IP Address
The hostname or IP address for the primary and, optionally, the secondary ISE servers.
The certificate authority for the pxGrid framework. If your deployment includes a primary and a secondary pxGrid node, the certificates for both nodes must be signed by the same certificate authority.
The certificate authority for the ISE certificate when performing bulk downloads. If your deployment includes a primary and a secondary MNT node, the certificates for both nodes must be signed by the same certificate authority.
The certificate and key that the ASA FirePOWER module should provide to ISE when connecting to ISE or performing bulk downloads.
The MC Server Certificate must include the clientAuth extended key usage value, or it must not include any extended key usage values.
An optional filter you can set to restrict the networks monitored by ISE. If you provide a filter, ISE monitors the networks within that filter. You can specify a filter in the following ways:
– Leave the field blank to specify any.
– Enter a single IPv4 address block using CIDR notation.
– Enter a list of IPv4 address blocks using CIDR notation, separated by commas.
Note This version of the Firepower System does not support filtering using IPv6 addresses, regardless of your ISE version.
Configuring an ISE Connection
To configure a User Agent Connection:
Step 1 Select Configuration > ASA FirePOWER Configuration > Integration > Identity Sources .
Step 2 Select Identity Services Engine for the Service Type to enable the ISE connection.
Note To disable the connection, select None.
Step 3 Type a Primary Host Name/IP Address and, optionally, a Secondary Host Name/IP Address .
Step 4 Select the appropriate certificates from the pxGrid Server CA , MNT Server CA , and MC Server Certificate drop-down lists. Optionally, click the add icon ( ) to create an object on the fly.
Step 5 Optionally, type an ISE Network Filter using CIDR block notation.
Step 6 If you want to test the connection, click Test .
The Captive Portal Active Authentication Identity Source
Captive portal is one of the authoritative identity sources supported by the ASA FirePOWER module. It is the only active authentication method supported by the ASA FirePOWER module, where users can authenticate onto the network through a device.
Active authentication via captive portal is performed on HTTP and HTTPS traffic only. If you want to perform captive portal on HTTPS traffic, you must create SSL rules to decrypt the traffic originating from the users you want to authenticate using captive portal.
When configured and deployed, users from specified realms authenticate through ASA FirePOWER devices in routed mode running Version 9.5(2) or later. The authentication data gained from captive portal can be used for user awareness and user control.
Captive portal also records failed authentication attempts. A failed attempt does not add a new user to the list of users in the database. The user activity type for failed authentication activity reported by captive portal is Failed Auth User .
You use the
captive-portal
ASA CLI command to enable captive portal for active authentication as described in the
ASA Firewall Configuration Guide
for your version:
http://www.cisco.com/c/en/us/support/security/asa-5500-series-next-generation-firewalls/products-installation-and-configuration-guides-list.html
. You continue configuring captive portal in your identity policy and invoke it (active authentication) in your identity rules. Identity policies are invoked in your access control policies. For more information, see Configuring Captive Portal (Active Authentication)
Captive portal can only be performed by a device with one or more routed interfaces configured.
The system does not validate the type of interface in ASA with FirePOWER devices. If you apply a captive portal policy to an inline (tap mode) interface on an ASA with FirePOWER device, the policy deployment succeeds but users in traffic matching those rules are identified as Unknown.
Note the following access control rule and SSL rule requirements:
- You must create an access control rule to allow traffic destined for the IP address and port you plan to use for captive portal. Traffic cannot be authenticated using captive portal if the destination port is not allowed in your access control policy.
- If you want to perform active authentication via captive portal on HTTPS traffic, you must create SSL rules to decrypt the traffic originating from the users you want to authenticate using captive portal.
- If you want to decrypt traffic in the captive portal connection, you must create an SSL rule to decrypt the traffic destined for the port you plan to use for captive portal.
ASA FirePOWER Module-Server Downloads
Connections between the ASA FirePOWER module and your LDAP or AD servers allow you to retrieve user and user group metadata for certain detected users:
- LDAP and AD users authenticated by captive portal or reported by a User Agent or ISE. This metadata can be used for user awareness and user control.
- POP3 and IMAP user logins detected by traffic-based detection, if those users have the same email address as an LDAP or AD user. This metadata can be used for user awareness.
You configure an ASA FirePOWER module user database-server connection as a directory within a realm. You must select the Download users and user groups for access control check box to download a realm's user and user group data for user awareness and user control.
The ASA FirePOWER module obtains the following information and metadata about each user: