Access Control Rules: Realms and Users

Similar documents
Realms and Identity Policies

Realms and Identity Policies

Realms and Identity Policies

User Identity Sources

User Identity Sources

Access Control Rules: Network-Based

Rule Management: Common Characteristics

Getting Started with Access Control Policies

Access Control Using Intrusion and File Policies

About Advanced Access Control Settings for Network Analysis and Intrusion Policies

DNS Policies. DNS Policy Overview. The following topics explain DNS policies, DNS rules, and how to deploy DNS policies to managed devices.

Prefiltering and Prefilter Policies

Access Control Using Intrusion and File Policies

The following topics describe how to configure correlation policies and rules.

Manage Administrators and Admin Access Policies

Manage Administrators and Admin Access Policies

Security, Internet Access, and Communication Ports

The following topics describe how to configure traffic profiles:

Network Discovery Policies

Question: 1 The NAC Agent uses which port and protocol to send discovery packets to an ISE Policy Service Node?

Quality of Service (QoS) for Firepower Threat Defense

Manage Administrators and Admin Access Policies

Identity Policies. Identity Policy Overview. Establishing User Identity through Active Authentication

The following topics describe how to manage various policies on the Firepower Management Center:

Getting Started with Network Analysis Policies

Access Control Using Intelligent Application Bypass

Licensing the Firepower System

Connection Logging. Introduction to Connection Logging

Install and Configure the TS Agent

Sensitive Data Detection

Integrate the Cisco Identity Services Engine

Connection Logging. About Connection Logging

The following topics provide more information on user identity. Establishing User Identity Through Passive Authentication

How to Configure Authentication and Access Control (AAA)

ACS 5.x: LDAP Server Configuration Example

Aggregate Interfaces and LACP

Installing and Configuring the TS Agent

There are two ways for a sensor device to detect the Security Group Tag (SGT) assigned to the traffic:

Introduction to Network Discovery and Identity

Introduction to Network Discovery and Identity

External Alerting for Intrusion Events

Introduction to ISE-PIC

Network Deployments in Cisco ISE

Firepower Management Center High Availability

IPS Device Deployments and Configuration

ISE Version 1.3 Hotspot Configuration Example

The following topics describe how to work with reports in the Firepower System:

Security, Internet Access, and Communication Ports

Device Management Basics

Start Creating SSL Policies

Working with Reports

File Policies and AMP for Firepower

Firepower extensible Operating System (FXOS) 2.2: Chassis Authentication and Authorization for remote management with ACS using RADIUS

Cisco Threat Intelligence Director (TID)

Configure Guest Access

ForeScout CounterACT. Configuration Guide. Version 4.1

Integration of FireSIGHT System with ISE for RADIUS User Authentication

BIG-IP Access Policy Manager (APM) v11.2 Table of Contents

Data Structure Mapping

Security, Internet Access, and Communication Ports

Managing External Identity Sources

Connection and Security Intelligence Events

Security, Internet Access, and Communication Ports

Support Device Access

User Accounts for Management Access

Firepower Threat Defense Remote Access VPNs

Device Management Basics

Data Structure Mapping

File Policies and Advanced Malware Protection

LDAP/AD v1.0 User Guide

Active Directory as a Probe and a Provider

Cisco Threat Intelligence Director (TID)

Device Management Basics

Cisco ISE Features. Cisco Identity Services Engine Administrator Guide, Release 1.4 1

Configure Guest Access

ForeScout CounterACT. Plugin. Configuration Guide. Version 2.2.4

Logging into the Firepower System

Network Deployments in Cisco ISE

BIG-IP Access Policy Manager : Secure Web Gateway. Version 13.0

Support Device Access

Classic Device Management Basics

Host Identity Sources

SCADA Preprocessors. Introduction to SCADA Preprocessors. The Modbus Preprocessor

BIG-IP Access Policy Manager : Authentication and Single Sign-On. Version 13.1

Integrating IBM Security Privileged Identity Manager with ObserveIT Enterprise Session Recording

Platform Settings for Classic Devices

Configure Guest Access

Detecting Specific Threats

NetConnect to GlobalProtect Migration Tech Note PAN-OS 4.1

Set Up Cisco ISE in a Distributed Environment

Exam Questions Demo Cisco. Exam Questions

BIG-IP Access Policy Manager : Secure Web Gateway. Version 12.1

VMware Identity Manager Administration

Licensing the Firepower System

Introducing Cisco Identity Services Engine for System Engineer Exam

KACE Systems Deployment Appliance 5.0. Administrator Guide

Application Layer Preprocessors

Integrating VMware Horizon Workspace and VMware Horizon View TECHNICAL WHITE PAPER

Identity Firewall. About the Identity Firewall

Receiver for BlackBerry 2.2

Transcription:

The following topics describe how to control user traffic on your network: Realm, User, User Group, and ISE Attribute (SGT, Endpoint Profile, and Endpoint Location) Access Control Rule Conditions, page 1 Troubleshooting Issues with User Access Control Rules, page 2 Adding a Realm, User, or User Group Condition to an Access Control Rule, page 3 Adding an ISE Attribute (SGT, Endpoint Profile, or Endpoint Location) Condition to an Access Control Rule, page 4 Realm, User, User Group, and ISE Attribute (SGT, Endpoint Profile, and Endpoint Location) Access Control Rule Conditions Before you can perform user control (create access control rule conditions based on entire realms, individual users, user groups, or ISE attributes), you must: Configure a realm for each Microsoft Active Directory or LDAP server you want to monitor (including your ISE or User Agent servers). If you enable user download for the realm, the Firepower Management Center regularly and automatically queries the server to download metadata for newly or already-reported authoritative users and user groups. Create an identity policy to associate the realm with an authentication method. Configure one or more User Agents or ISE devices, or captive portal. If you want to use an ISE attribute (Security Group Tag (SGT), Endpoint Profile, or Endpoint Location) condition, you must configure ISE. User Agents, ISE, and captive portal collect authoritative user data that can be used for user control in access control rule conditions. The identity sources monitor specified users as they log in or out of hosts or authenticate using LDAP or AD credentials. Online Only 1

Troubleshooting Issues with User Access Control Rules Caution If you configure a User Agent or ISE device to monitor a large number of user groups, or if you have a very large number of users mapped to hosts on your network, the system may drop user mappings based on groups, due to your Firepower Management Center user limit. As a result, access control rules with realm, user, or user group conditions may not fire as expected. You can combine realm, user, group, and ISE attribute conditions to create simple or complex access control rules, matching and inspecting traffic using multiple conditions. You can add a maximum of 50 realms, users, and groups to the Selected Users in a single user condition. Conditions with user groups match traffic to or from any of the group s members, including members of any sub-groups, with the exception of individually excluded users and members of excluded sub-groups. Including a user group automatically includes all of that group s members, including members of any secondary groups. However, if you want to use the secondary group in access control rules, you must explicitly include the secondary group. Note Hardware-based fast-path rules, Security Intelligence-based traffic filtering, SSL inspection, user identification, and some decoding and preprocessing occur before access control rules evaluate network traffic. For more information about User Agents, ISE, and captive portal, see The User Agent Identity Source,, and The Captive Portal Identity Source. Troubleshooting Issues with User Access Control Rules If you notice unexpected user access control rule behavior, consider tuning your rule, identity source, or realm configurations. For other related troubleshooting information, see Troubleshooting Issues with User Identity Sources and Troubleshooting Issues with Realms and User Data Downloads. Access control rules targeting realms, users, or user groups are not firing If you configure a User Agent or ISE device to monitor a large number of user groups, or if you have a very large number of users mapped to hosts on your network, the system may drop user records due to your Firepower Management Center user limit. As a result, access control rules with realm or user conditions may not fire as expected. Access control rules targeting user groups or users within user groups are not firing as expected If you configure an access control rule with a user group condition, your LDAP or Active Directory server must have user groups configured. The Firepower Management Center cannot perform user group control if the server organizes the users in basic object hierarchy. 2 Online Only

Adding a Realm, User, or User Group Condition to an Access Control Rule Access control rules targeting users in secondary groups are not firing as expected If you configure an access control rule with a user group condition that includes or excludes users who are members of a secondary group on your Active Directory server, your server may be limiting the number of users it reports. By default, Active Directory servers limit the number of users they report from secondary groups. You must customize this limit so that all of the users in your secondary groups are reported to the Firepower Management Center and eligible for use in access control rules with user conditions. Access control rules are not matching users when seen for the first time After the system detects activity from a previously-unseen user, the system retrieves information about them from the server. Until the system successfully retrieves this information, activity seen by this user is not handled by matching access control rules. Instead, the user session is handled by the next access control rule it matches (or the access control policy default action). For example, this may explain when: Users who are members of user groups are not matching access control rules with user group conditions. Users who were reported by ISE or the User Agent are not matching access control rules, when the server used for user data retrieval is an Active Directory server. Note that this may also cause the system to delay the display of user data in event views and analysis tools. Access control rules are not matching all ISE users This is expected behavior. You can perform user access control on ISE users who were authenticated by an Active Directory domain controller. You cannot perform user access control on ISE users who were authenticated by an LDAP, RADIUS, or RSA domain controller. Adding a Realm, User, or User Group Condition to an Access Control Rule Smart License Classic License Supported Devices Supported Domains Access Control Administrator, Access Admin, Network Admin Before You Begin Configure one or more authoritative user identity sources as described in User Identity Sources. Configure a realm as described in Creating a Realm. A user download (automatic or on-demand) must be performed before you can configure realm, user, or user group conditions in an access control rule. Online Only 3

Adding an ISE Attribute (SGT, Endpoint Profile, or Endpoint Location) Condition to an Access Control Rule Procedure Step 1 Step 2 Step 3 Step 4 Step 5 In the access control rule editor, click the Users tab. Search by name or value above the Available Realms list and select a realm. Search by name or value above the Available Users list and select a user or group. Click Add to Rule, or drag and drop. Save or continue editing the rule. What to Do Next Deploy configuration changes; see Deploying Configuration Changes. Adding an ISE Attribute (SGT, Endpoint Profile, or Endpoint Location) Condition to an Access Control Rule Smart License Classic License Supported Devices Supported Domains Access Control Administrator, Access Admin, Network Admin Use the following procedure to configure an ISE attribute condition based on a user's Security Group Tag (SGT), Endpoint Profile, or Endpoint Location. For more information about ISE and ISE attributes, see. Before You Begin Configure ISE as described in Configuring an ISE Connection. Procedure Step 1 Step 2 Step 3 Step 4 Step 5 In the access control rule editor, click the ISE Attributes tab. Search by name or value above the Available ISE Session Attributes list and select an attribute. Search by name or value above the Available ISE Metadata list and select metadata. Click Add to Rule, or drag and drop. Tip You can also use the Add a Location IP Address field to add a Location IP attribute to the condition. The system builds a separate network map for each leaf domain. In a multidomain deployment, using literal IP addresses to constrain this configuration can have unexpected results. Save or continue editing the rule. 4 Online Only

Adding an ISE Attribute (SGT, Endpoint Profile, or Endpoint Location) Condition to an Access Control Rule What to Do Next Deploy configuration changes; see Deploying Configuration Changes. Online Only 5

Adding an ISE Attribute (SGT, Endpoint Profile, or Endpoint Location) Condition to an Access Control Rule 6 Online Only

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback