Users and groups in each forest can be authentictated by AD in the other forest, provided you configure the forests that way. If you set up the Firepower System with one realm for each forest and one directory for each domain controller, the Firepower System can use all of the users and groups in both forests in identity policy.
To continue the example, suppose you have three AD forests one of which could be a subdomain or an independent forest , all set up as two-way transitive forest relationships, all users and groups are available in all three forests as well as in the Firepower System. As in the preceding example, all three AD forests must be set up as realms and all domain controllers must be configured as directories in those realms. Finally, you can set up the FMC to be able to enforce identity policies on users and groups in a two-forest system with two-way transitive forest trust.
Suppose each forest has at least one domain controller, each of which authenticates different users and groups. For the FMC to be able to enforce identity policies on those users and groups, you must set up each forest as an FMC realm and each domain controller as an FMC directory in the respective realm.
Failure to properly configure the FMC prevents some of the users and groups from being able to be used in policies. You will see warnings when you try to synchronize users and groups in that case. Realm for forest. Directory in the realm for ASIA. Realm for eastforest. Microsoft Active Directory on Windows Server , , and Note the following about your server group configurations:.
To perform user control on user groups or on users in groups, you must configure user groups on the LDAP or Active Directory server. If necessary, you can modify your Active Directory server configuration to increase this default limit and accommodate more users. When installed and configured, the TS Agent assigns unique ports to individual users so the Firepower System can uniquely identify those users.
The servers in your realms must use the attribute names listed in the following table for the Firepower Management Center to retrieve user metadata from the servers. If the attribute names are incorrect on your server, the Firepower Management Center cannot populate its database with the information in that attribute. FMC Attribute. Active Directory Attribute.
To connect securely from the FMC to your Active Directory server, first perform the following tasks:. Find the Active Directory Server's Name. Microsoft is making these a requirement because when using default settings, an elevation of privilege vulnerability exists in Microsoft Windows that could allow a man-in-the-middle attacker to successfully forward an authentication request to a Windows LDAP server.
For more information about realm and directory configuration fields, see Realm Fields and Realm Directory and Synchronize fields. Although the system allows you to specify the same AD Primary Domain for different AD realms, the system won't function properly. This happens because system assigns a unique ID to every user and group in each realm ; therefore, the system cannot definitively identify any particular user or group.
The system prevents you from specifying more than one realm with the same AD Primary Domain because users and groups won't be identified properly. To perform other tasks such as enable, disable, or delete a realm , see Manage a Realm. Enter realm information as discussed in Realm Fields.
In the Directory Server Configuration section, c onfigure at least one directory. To configure another domain for this realm, click Add another directory. Domain for the Active Directory server where users should be authenticated. For additional information, see Realm Fields. The directory tree on the server where the Firepower Management Center should begin searching for user data. The directory tree on the server where the Firepower Management Center should begin searching for group data.
Click to load groups from the Active Directory server. For more information about those fields, see Realm Fields. Limit the groups to use in policy by moving them to either the Included Groups or Excluded Groups list.
Moving one group to the Included Groups list, for example, allows that group only to be used in policy but excludes all other groups. For more information, see Realm Directory and Synchronize fields. Click Realm Configuration. When you're finished configuring the realm, click Save.
Synchronize Users and Groups. Edit, delete, enable, or disable a realm; see Manage a Realm. Optionally, monitor the task status; see Viewing Task Messages.
If you're using Kerberos to authentication captive portal users, keep the following in mind. If you're using Kerberos authentication, the managed device's host name must be less than 15 characters it's a NetBIOS limitation set by Windows ; otherwise, captive portal authentication fails.
You set the managed device host name when you set up the device. For more information, see an article like this one on the Microsoft documentation site: Naming conventions in Active Directory for computers, domains, sites, and OUs. DNS must return a response of 64KB or less to the hostname; otherwise, testing the connection the AD connection fails.
This limit applies in both directions and is discussed in RFC section These settings apply to all Active Directory servers or domain controllers also referred to as directories in a realm. To use the realm in identity policies, the system supports alphanumeric and special characters.
You can add more users after creating the realm and update password for the local users. For Microsoft Active Directory realms only. For Microsoft Active Directory realms intended for Kerberos captive portal active authentication, the distinguished username and password of any Active Directory user with appropriate rights to create a Domain Computer account in the Active Directory domain. The user name must be fully qualified for example, administrator mydomain.
The SHA-1 hash algorithm is not secure for storing passwords on your Active Directory server and should not be used. The distinguished username and password for a user with appropriate access to the user information you want to retrieve. For Microsoft Active Directory, the user does not need elevated privileges. You can specify any user in the domain. If you don't specify a Base DN , the system retrieves the top-level DN provided you can connect to the server.
Typically, the base distinguished name DN has a basic structure indicating the company domain name and operational unit. The directory tree on the server where the Firepower Management Center should search for users with the group attribute. If you don't specify a Group DN , the system retrieves the top-level DN provided you can connect to the server. Following is the list of characters the Firepower System supports in users, groups, DNs in your directory server. Using any characters other than the following could result in the Firepower System failing to download users and groups.
Enter the number of minutes before user sessions time out. The default is 24 hours after the user's login event. After the timeout is exceeded, the user's session ends; if the user continues to access the network without logging in again, the user is seen by the Firepower Management Center as Unknown except for Failed Captive Portal Users. Instead, session topic mappings are preserved as long as there is no delete or update message for a given mapping from ISE. Captive Portal Users : Timeout for users who successfully log in using the captive portal, which is a type of active authentication.
Failed Captive Portal Users : Timeout for users who do not successfully log in using the captive portal. A Failed Auth User can optionally be granted access to the network using access control policy and, if so, this timeout value applies to those users. For more information about failed captive portal logins, see Captive Portal Fields. Guest Captive Portal Users : Timeout for users who log in to the captive portal as a guest user. These settings apply to individual servers such as Active Directory domain controllers in a realm.
Strongly recommended. The encryption method to use for the Firepower Management Center-server connection:. The SSL certificate to use for authentication to the server. For example, if you use Resolve via route lookup : Use routing to connect to the Active Directory server. Groups that are displayed in the Available Groups field are available for policy unless you move groups to the Add to Include or Add to Exclude field.
If you move groups to the Add to Include field, only those groups are downloaded and user data is available for user awareness and user control. If you move groups to the Add to Exclude field, all groups except these are downloaded and available for user awareness and user control.
To include users from groups that are not included, enter the user name in the field below Groups to Include and click Add. To exclude users from groups that are not excluded, enter the user name in the field below Groups to Exclude and click Add.
To create a secure connection between an Active Directory server and the FMC which we strongly recommend , you must perform all of the following tasks:. To configure a realm directory in the FMC, you must know the fully qualified server name, which you can find as discussed in the procedure that follows.
You must log in to the Active Directory server as a user with sufficient privileges to view the computer's name. The task that follows discusses how to export the Active Directory server's root certificate, which is required to connect securely to the FMC to obtain user identity information.
You must know the name of your Active Directory server's root certificate. The root certificate might have the same name as the domain or the certificate might have a different name. The procedure that follows shows one way you can find the name; there could be other ways, however. Following is one way to find the name of the Active Directory Server's root certificate; consult Microsoft documentation for more information:.
Log in to the Active Directory server as a user with privileges to run the Microsoft Management Console. Click Start and enter mmc. From the Available Snap-ins list in the left pane, click Certificates local. At the Certificates snap-in dialog box, click Computer Account and click Next. Windows Server only. Repeat the preceding steps to add the Certification Authority snap-in. Export the certificate using the certutil command.
This is only one way to export the certificate. It's a convenient way to export the certificate, especially if you can run a web browser and connect to the FMC from the Active Directory server. Click Start and enter cmd. Enter the command certutil -ca. Synchronizing users and groups means the FMC queries the realms and directories you configured for groups and users in those groups.
All users the FMC finds can be used in identity policies. If issues are found, you most likely need to add a realm that contains users and groups the FMC cannot load. For details, see Realms and Trusted Domains. See Create a Realm and Realm Directory. Next to each realm, click Download. Yellow Triangle. There were issues synchronizing users and groups.
Make sure you added a realm for each Active Directory forest and a directory for each Active Directory domain controller. For more details, see Troubleshoot Cross-Domain Trust. The following procedure enables you to create a realm sequence, which is an ordered list of realms the Firepower System searches when it applies identity policy. You add a realm sequence to an identity rule exactly the same way as you add a realm; the difference is that the Firepower System searches all the realms in the order specified in the realm sequence when applying an identity policy.
You must create and enable at least two realms, each corresponding to a connection with an Active Directory server. You cannot create realm sequences for LDAP realms. Create a realm as discussed in Create a Realm and Realm Directory. Download users and groups and enable the realm as discussed in Synchronize Users and Groups. In the Name field, enter a name to identify the realm sequence.
In the Description field, enter a description for the realm sequence. Under Realms, click Add. To narrow your search, enter all or part of a realm name in Filter field. In the Add Realm Sequence dialog box, drag and drop the realms in the order in which you want the Firepower System to search for them.
See Create an Identity Policy. This is an introduction to several topics that walk you through configuring the FMC with two realms with cross-domain trust.
This step-by-step example involves two forests: forest. The forests are configured so that certain users and groups in each forest can be authentictated by AD in the other forest.
Realm and directory for forest. Realm and directory for eastforest. Each realm in the example has one domain controller, which is configured in the FMC as a directory.
The directories in this example are configured as follows:. This is the first task in a step-by-step procedure that explains how to configure the FMC to recognize Active Directory servers configured in a cross-domain trust relationship, which is an increasingly common configuration for enterprise organizations. You must configure Active Directory servers in a cross-domain trust relationship; see Realms and Trusted Domains for more information. If you authenticate users with LDAP, you cannot use this procedure.
Enter the following information to configure forest. The Directory Username can be any user in the Active Directory domain; no special permissions are required. The Interface used to connect to Directory server can be any interface that can connect to the Active Directory server. Click Test and make sure the test succeeds before you continue.
If your configuration was successful, the next page is displayed similar to the following. There are other optional configurations available on this page; for more information about them, see Realm Fields and Realm Directory and Synchronize fields. If you made changes on this page or tab pages, click Save. Enter the following information to configure eastforest. After you configure two or more Active Directory servers that have a cross-domain trust relationship, you must download users and groups.
That process exposes possible issues with the Active Directory configuration for example, groups or users downloaded for one Active Directory domain but not the other. At the end of the row of any realm in the cross-domain trust, click Download Now , then click Yes.
If groups and users fail to download, try again. If subsequent attempts fail, review your realm and directory setup as discussed in Realm Fields and Realm Directory and Synchronize fields. The final step in setting up cross-domain trust in the FMC is to make sure users and groups are downloaded without errors. A typical reason why users and groups do not download properly is that the realms to which they belong have not been downloaded to the FMC. This topic discusses how to diagnose that a group referred in one forest to cannot be downloaded because the realm is not configured to find the group in the domain controller hierarchy.
In the Realms column, if Yellow Triangle is displayed next to the name of a realm, you have issues that must be resolved. If not, your results are configured properly and you can quit. Click Download Now , then click Yes. In the middle column, click either Groups or Users to find more information.
In the Groups or Users tab page, click Yellow Triangle to display more information. The right column should display enough information you can isolate the source of the issue. In the preceding example, forest. If, after synchronizing the eastforest. This section discusses how to perform various maintenance tasks for a realm using controls on the Realms page.
Note the following:. If the controls are dimmed, the configuration belongs to an ancestor domain, or you do not have permission to modify the configuration. If View appears instead, the configuration belongs to an ancestor domain, or you do not have permission to modify the configuration.
Click Realms. To delete a realm, click Delete. To edit a realm, click Edit next to the realm and make changes as described in Create a Realm and Realm Directory. To enable a realm, slide State to the right; to disable a realm, slide it to the left. To download users and user groups, click Download. To copy a realm, click Copy. To compare realms, see Compare Realms. Click Compare Realms.
Choose Compare Realm from the Compare Against list. Choose the realms you want to compare from the Realm A and Realm B lists. Click OK. To navigate individually through changes, click Previous or Next above the title bar. Click Comparison Report to generate the realm comparison report. Click New Comparison to generate a new realm comparison view.
If you notice unexpected server connection behavior, consider tuning your realm configuration, device settings, or server settings. For other related troubleshooting information, see:.
Troubleshoot the Captive Portal Identity Source. Troubleshoot User Control. The Firepower Management Center's health monitor informs you of user or realm mismatches, which are defined as:.
User mismatch: A user is reported to the Firepower Management Center without being downloaded. A typical reason for a user mismatch is that the user belongs to a group you have excluded from being downloaded to the Firepower Management Center. Review the information discussed in Realm Fields. Realm mismatch: A user logs into a domain that corresponds to a realm not known to the Firepower Management Center.
For example, if you defined a realm that corresponds to a domain named domain. Users in this domain are identified by the Firepower Management Center as Unknown. You set the mismatch threshold as a percentage, above which a health warning is triggered. Unknown users that do not match identity rules have no policies applied to them. Although you can set up identity rules for Unknown users, we recommend keeping the number of rules to a minimum by identifying users and realms correctly.
For more information, see Detect Realm or User Mismatches. This solution applies to an AD domain that is in a trust relationship with other AD domains.
In the following discussion, external domain means a domain other than the one to which the user logs in. If a user belongs to a group defined in a trusted external domain, Firepower doesn't track membership in the external domain. For example, consider the following scenario:. User mparvinder in controller 1 is a member of Group A. Even though user mparvinder is in Group A, the Firepower access control policy rules specifying membership Group A don't match.
Solution : Create a similar group in domain controller 1 that contains has all domain 1 accounts that belong to group A. Change the access control policy rule to match any member of Group A or Group B. Domain child. User mparvinder is defined in child. Even though user mparvinder is in a child domain, the Firepower access control policy matching the parent. Solution : Change the access control policy rule to match membership in either parent. If it fails, check the following:.
The Test AD Join button on the realm configuration page verifies the following:. AD Join Username must be fully qualified for example, administrator mydomain.
The user has sufficient privileges to create a computer in the domain and join the Firepower Management Center to the domain as a Domain Computer. If you notice the system performing user timeouts at unexpected intervals, confirm that the time on your ISE server is synchronized with the time on the Firepower Management Center.
If the appliances are not synchronized, the system may perform user timeouts at unexpected intervals. If you configure an Active Directory realm that includes or excludes users who are members of a sub-group on your server, note that Microsoft Windows servers limit the number of users they report:. If necessary, you can modify your server configuration to increase this default limit and accommodate more users. If you have the realm Type configured incorrectly, users and groups cannot be downloaded because of a mismatch between the attribute the Firepower system expects and what the repository provides.
Users in Active Directory groups that have special characters in the group or organizational unit name might not be available for identity policy rules. Solution : Remove special characters from the group or organizational unit name. In some cases, the system requires additional time to successfully retrieve this information from Microsoft Windows servers. Note that this may also prevent the system from handling the user's traffic using access control rules.
If you notice user or user activity events contain unexpected IP addresses, check your realms. The system does not support configuring multiple realms with the same AD Primary Domain value.
If your deployment includes a terminal server and you have a realm configured for one or more servers connected to the terminal server, you must deploy the Cisco Terminal Services TS Agent to accurately report user logins in terminal server environments.
When installed and configured, the TS Agent assigns unique ports to individual users so the Firepower System can uniquely identify those users in the web interface. This section discusses how to detect realm or user mismatches , which are defined as:.
For additional details, see Troubleshoot Realms and User Downloads. For more information, see Troubleshoot Realms and User Downloads.
Apply the health policy to managed devices as discussed in Applying Health Policies. This opens the Health Monitor. Typical issues with troubleshooting the FMC configuration for cross-domain trust include the following:. Configure a realm to exclude users from being downloaded and those users are referenced in a group in a different realm.
If there are issues with the FMC being able to synchronize users and groups with your Active Directory forests, the Sync Results tab page is displayed similar to the following. Displays all realms configured in the system.
Click Refresh to update the list of realms. Yellow Triangle is displayed to indicate issues in the realm. Nothing is displayed next to a realm if all users and groups synchronized successfully. Click Groups to display all groups in the realm. As with realms, Yellow Triangle is displayed to indicate issues. Click Yellow Triangle to see more detail about the issue. Displays all users in the group you selected in the Groups column. Clicking Yellow Triangle displays more information to the right of the table.
Displays all groups the selected user belongs to. The root certificate might have the same name as the domain or the certificate might have a different name. The procedure that follows shows one way you can find the name; there could be other ways, however. Following is one way to find the name of the Active Directory Server's root certificate; consult Microsoft documentation for more information:. Log in to the Active Directory server as a user with privileges to run the Microsoft Management Console.
Click Start and enter mmc. From the Available Snap-ins list in the left pane, click Certificates local. At the Certificates snap-in dialog box, click Computer Account and click Next. Windows Server only. Repeat the preceding steps to add the Certification Authority snap-in. Export the certificate using the certutil command.
This is only one way to export the certificate. It's a convenient way to export the certificate, especially if you can run a web browser and connect to the FMC from the Active Directory server. Click Start and enter cmd. Enter the command certutil -ca. This procedure enables you to create a realm directory, which corresponds to an LDAP server or a Microsoft Active Directory domain controller. An Active Directory server can have multiple domain controllers, each of which is capable of authenticating different users and groups.
For more information about realm directory configuration fields, see Realm Fields. On Directory page, click Add Directory. Select an Encryption Mode. If you haven't already enabled the realm, on Realms page, slide State to enabled. Download Users and Groups. This section discusses how to download users and groups from your Active Directory server to the Firepower Management Center. If you do not specify any groups to include, the system retrieves user data for all the groups that match the parameters you provided.
For performance reasons, Cisco recommends that you explicitly include only the groups that represent the users you want to use in access control. The maximum number of users the Firepower Management Center can retrieve from the server depends on your Firepower Management Center model.
If the download parameters in your realm are too broad, the Firepower Management Center obtains information on as many users as it can and reports the number of users it failed to retrieve in Task of the Message Center. For more information about realm configuration fields, see Realm Fields.
To download users and groups manually, click Download next to the realm to download users and user groups. If the controls are dimmed, the configuration belongs to an ancestor domain, or you do not have permission to modify the configuration.
You can skip the remainder of this procedure. To configure the realm for automatic user and group download, click Edit next to the realm to configure for automatic user and group download. On User Access Control page, check Download users and groups required for user access control.
Select a time to Begin automatic download at from the lists. Select a download interval from the Repeat Every list. To include or exclude user groups from the download, choose user groups from the Available Groups column and click Add to Include or Add to Exclude. Separate multiple users with commas. You must Add to Include if you want to perform user control on users in that group. If you leave a group in the Available Groups box, the group is not downloaded. If you move a group to the Add to Include box, the group is downloaded and user data is available for user awareness and user control.
If you move a group to the Add to Exclude box, the group is downloaded and user data is available for user awareness, but not for user control. This section discusses how to perform various maintenance tasks for a realm using controls on the Realms page. Note the following:. If View appears instead, the configuration belongs to an ancestor domain, or you do not have permission to modify the configuration.
Click Realms. To delete a realm, click Delete. To edit a realm, click Edit next to the realm and make changes as described in Create a Realm.
To enable a realm, slide State to the right; to disable a realm, slide it to the left. To download users and user groups, click Download. To copy a realm, click Copy. To compare realms, see Compare Realms. Click Compare Realms. Choose Compare Realm from the Compare Against list. Choose the realms you want to compare from the Realm A and Realm B lists.
Click OK. To navigate individually through changes, click Previous or Next above the title bar. Click Comparison Report to generate the realm comparison report.
Click New Comparison to generate a new realm comparison view. If you notice unexpected server connection behavior, consider tuning your realm configuration, device settings, or server settings. For other related troubleshooting information, see:. Troubleshoot the User Agent Identity Source. Troubleshoot the Captive Portal Identity Source. Troubleshoot User Control. The Firepower Management Center's health monitor informs you of user or realm mismatches, which are defined as:.
User mismatch: A user is reported to the Firepower Management Center without being downloaded. A typical reason for a user mismatch is that the user belongs to a group you have excluded from being downloaded to the Firepower Management Center. Review the information discussed in Realm Fields. Realm mismatch: A user logs into a domain that corresponds to a realm not known to the Firepower Management Center.
For example, if you defined a realm that corresponds to a domain named domain. Users in this domain are identified by the Firepower Management Center as Unknown. You set the mismatch threshold as a percentage, above which a health warning is triggered. Unknown users that do not match identity rules have no policies applied to them. Although you can set up identity rules for Unknown users, we recommend keeping the number of rules to a minimum by identifying users and realms correctly.
For more information, see Detect Realm or User Mismatches. This solution applies to an AD domain that is in a trust relationship with other AD domains. In the following discussion, external domain means a domain other than the one to which the user logs in.
If a user belongs to a group defined in a trusted external domain, Firepower doesn't track membership in the external domain. For example, consider the following scenario:. User mparvinder in controller 1 is a member of Group A. Even though user mparvinder is in Group A, the Firepower access control policy rules specifying membership Group A don't match.
Solution : Create a similar group in domain controller 1 that contains has all domain 1 accounts that belong to group A. Change the access control policy rule to match any member of Group A or Group B.
Domain child. User mparvinder is defined in child. Even though user mparvinder is in a child domain, the Firepower access control policy matching the parent. Solution : Change the access control policy rule to match membership in either parent. If it fails, check the following:. The Test AD Join button on the realm configuration page verifies the following:.
AD Join Username must be fully qualified for example, administrator mydomain. The user has sufficient privileges to create a computer in the domain and join the Firepower Management Center to the domain as a Domain Computer. If you notice the system performing user timeouts at unexpected intervals, confirm that the time on your user agent or ISE server is synchronized with the time on the Firepower Management Center.
If the appliances are not synchronized, the system may perform user timeouts at unexpected intervals. If you configure an Active Directory realm that includes or excludes users who are members of a sub-group on your server, note that Microsoft Windows servers limit the number of users they report:.
If necessary, you can modify your server configuration to increase this default limit and accommodate more users. If you have the realm Type configured incorrectly, users and groups cannot be downloaded because of a mismatch between the attribute the Firepower system expects and what the repository provides. Users in Active Directory groups that have special characters in the group or organizational unit name might not be available for identity policy rules.
Solution : Remove special characters from the group or organizational unit name. In some cases, the system requires additional time to successfully retrieve this information from Microsoft Windows servers.
Note that this may also prevent the system from handling the user's traffic using access control rules. If you notice user or user activity events contain unexpected IP addresses, check your realms. The system does not support configuring multiple realms with the same AD Primary Domain value. If your deployment includes a terminal server and you have a realm configured for one or more servers connected to the terminal server, you must deploy the Cisco Terminal Services TS Agent to accurately report user logins in terminal server environments.
When installed and configured, the TS Agent assigns unique ports to individual users so the Firepower System can uniquely identify those users in the web interface.
This section discusses how to detect realm or user mismatches , which are defined as:. For additional details, see Troubleshoot Realms and User Downloads. For more information, see Troubleshoot Realms and User Downloads. Apply the health policy to managed devices as discussed in Applying Health Policies.
This opens the Health Monitor. Feature introduced before Version 6. Skip to content Skip to search Skip to footer. Book Contents Book Contents. Find Matches in This Book. PDF - Complete Book Updated: October 6, Chapter: Create and Manage Realms. Realms can: Specify the users and user groups whose activity you want to monitor. A realm sequence is not supported for LDAP. The Firepower Management Center obtains the following information and metadata about each user: LDAP user name First and last names Email address Department Telephone number About User Activity Data User activity data is stored in the user activity database and user identity data is stored in the users database.
Note If you remove a user that has been detected by the system from your user repository, the Firepower Management Center does not remove that user from its users database; you must manually delete it.
Supported for TS Agent data retrieval? Supported for captive portal data retrieval? Note the following about your server group configurations: To perform user control on user groups or on users in groups, you must configure user groups on the LDAP or Active Directory server. To configure an Active Directory realm that includes or excludes users who are members of a sub-group on your server, note that Microsoft recommends that Active Directory has no more than users per group in Windows Server Supported Server Object Class and Attribute Names The servers in your realms must use the attribute names listed in the following table for the Firepower Management Center to retrieve user metadata from the servers.
Table 1. Step 3 Click Realms. Step 4 To create a new realm, click Add Realm. Step 5 To perform other tasks such as enable, disable, or delete a realm , see Manage a Realm. Step 6 Enter realm information as discussed in Realm Fields. Step 7 Optional.
Step 8 Click OK. Step 9 C onfigure at least one directory as discussed in Configure a Realm Directory. Step 10 Configure user and user group download required for access control as discussed in Download Users and Groups. Step 11 Click Realm Configuration. Step 13 When you're finished configuring the realm, click Save. Compare Realms.
Realm Configuration Fields These settings apply to all Active Directory servers or domain controllers also referred to as directories in a realm. Name A unique name for the realm.
Description Optional. Enter a description of the realm. The user you specify must be able to join computers to the Active Directory domain. Note The SHA-1 hash algorithm is not secure for storing passwords on your Active Directory server and should not be used. Directory Username and Directory Password The distinguished username and password for a user with appropriate access to the user information you want to retrieve.
Note the following: For Microsoft Active Directory, the user does not need elevated privileges. Group DN The directory tree on the server where the Firepower Management Center should search for users with the group attribute. Note Following is the list of characters the Firepower System supports in users, groups, DNs in your directory server.
Entity Supported characters User name a-z A-Z ! The following fields are available when you edit an existing realm. User Session Timeout Enter the number of minutes before user sessions time out.
Realm Directory and Download fields Realm Directory Fields These settings apply to individual servers such as Active Directory domain controllers in a realm. Port The port to use for the Firepower Management Center-controller connection. Encryption Strongly recommended. Download users and groups required for user access control Enables you to download users and groups for user awareness and user control.
Begin automatic download at, Repeat every Specifies the frequency of the automatic downloads. Download Now Click to synchronize groups and users with AD. Connect Securely to Active Directory To create a secure connection between an Active Directory server and the FMC which we strongly recommend , you must perform all of the following tasks: Export the Active Directory server's root certificate.
Find the Active Directory server's fully qualified name. Create the realm directory. See one of the following tasks for more information. Before you begin You must log in to the Active Directory server as a user with sufficient privileges to view the computer's name. Procedure Step 1 Log in to the Active Directory server. Step 2 Click Start. Step 3 Right-click This PC. Step 4 Click Properties. Step 5 Click Advanced System Settings.
Step 6 Click the Computer Name tab. Step 7 Note the value of Full computer name. You must enter this exact name when you configure the realm directory in the FMC. What to do next Create a realm directory.
Before you begin You must know the name of your Active Directory server's root certificate. Procedure Step 1 Following is one way to find the name of the Active Directory Server's root certificate; consult Microsoft documentation for more information: Log in to the Active Directory server as a user with privileges to run the Microsoft Management Console.
0コメント