About Identity Sources
Identity sources are the AAA servers and databases that define user accounts for the people in your organization. You can use this information in a variety of ways, such as providing the user identity associated with an IP address, or authenticating remote access VPN connections or access to the FDM.
Use the
page to create and manage your sources. You would then use these objects when you configure the services that require an identity sourceFollowing are the supported identity sources and their uses:
- Active Directory (AD) Identity Realm
-
Active Directory provides user account and authentication information. See Active Directory (AD) Identity Realms.
You can use this source for the following purposes:
-
Remote Access VPN, as a primary identity source. You can use AD in conjunction with a RADIUS server.
-
Identity policy, for active authentication and as the user identity source used with passive authentication.
-
- AD (Active Directory) Realm Sequence
-
An AD realm sequence is an ordered list of AD realm objects. Realm sequences are useful if you manage more than one AD domain in your network. See Configuring an AD Realm Sequence.
You can use this source for the following purposes:
-
Identity policy, as the user identity source used with passive authentication. The order of realms in the sequence determines how the system determines user identity in the rare cases there is a conflict.
-
- Cisco Identity Services Engine (ISE) or Cisco Identity Services Engine Passive Identity Connector (ISE PIC)
-
If you are using ISE, you can integrate the Firepower Threat Defense device with your ISE deployment. See Identity Services Engine (ISE).
You can use this source for the following purposes:
-
Identity policy, as a passive identity source to collect user identity from ISE.
-
- RADIUS Server, RADIUS Server Group
-
If you are using RADIUS servers, you can also use them with the FDM. You must define each server as a separate object, then put them in server groups (where the servers in a given group are copies of each other). You assign the server group to features, you do not assign individual servers. See RADIUS Servers and Groups.
You can use this source for the following purposes:
-
Remote Access VPN, as an identity source for authentication, and for authorization and accounting. You can use AD in conjunction with a RADIUS server.
-
Identity policy, as a passive identity source to collect user identity from remote access VPN logins.
-
External authentication for the FDM or the Firepower Threat Defense CLI management users. You can support multiple management users with different authorization levels. These users can log into the system for device configuration and monitoring purposes.
-
- SAML Server
-
Security Assertion Markup Language 2.0 (SAML 2.0) is an open standard for exchanging authentication and authorization data between parties, specifically an Identity Provider (IdP) and Service Provider (SP).
You can use this source for the following purposes:
-
Remote access VPN, as a single sign-on (SSO) authentication source.
-
- LocalIdentitySource
-
This is the local user database, which includes users that you have defined in the FDM. Select to manage the user accounts in this database. See Local Users.
Note
The local identity source database does not include users you configure in the CLI for CLI access (using the configure user add command). CLI users are completely separate from those you create in the FDM.
You can use this source for the following purposes:
-
Remote Access VPN, as a primary or fallback identity source.
-
Identity policy, as a passive identity source to collect user identity from remote access VPN logins.
-