topic Re: ASA with domain users in Network Security

ASA with domain users

adamgibs7 — Fri, 21 Feb 2020 14:49:14 GMT

Dears,

I have implemented firepower with fire sight system, my problem is when a guest connect his laptop he get the IP address and he able to connect to the internet, I want the single sign on with source fire for domain users and if the user is not a domain user then the prompt should appear for username and password.

This is achievable in fortinet How I can achieve this with ASA.

thanks

Re: ASA with domain users

Marvin Rhoads — Thu, 23 Nov 2017 10:44:18 GMT

If you are managing your ASA Firepower service module with Firepower Management Center you can setup realm integration with your AD and require all non-AD users to use captive portal. The same is not possible using only ASDM-based management.

I'm not sure where a guest user account would be defined in your scenario though.

Re: ASA with domain users

adamgibs7 — Sat, 25 Nov 2017 07:52:49 GMT

Dear Marvin,

Can you route me to the documentation for the captive portal, as mentioned above in your reply.

Thanks

Re: ASA with domain users

Marvin Rhoads — Sat, 25 Nov 2017 14:18:32 GMT

Cisco has a Configuration Example document on just this integration. Please see the following:

https://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/200329-Configure-Active-Directory-Integration-w.html

Additional details can be found in the FMC Configuration Guide here:

https://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/user_identity_sources.html#concept_6E7BBA97DD5D4883AA55185B6FEEE9BA

Re: ASA with domain users

adamgibs7 — Sat, 25 Nov 2017 23:21:54 GMT

Dear Marvin,

Thanks for the reply and the link provided I will configure and if I get stuck anywhere I will post the error, according to the link provided I have a small query below,

Please find the attached screenshot, I am running 6.0, none of the groups are selected in the user Download page but still the user name's are seen in the connection events, file events, malware events,

Do we have to select the groups in the user download page or by default all are included as I can see user groups when I create a policy.

Thanks

Re: ASA with domain users

Marvin Rhoads — Sun, 26 Nov 2017 02:56:23 GMT

You're welcome - please rate if it helped.

Re the groups, select them from the downloads page. That is where the user mapping to group is derived from.

Identification of end user identity is via one of the identity sources - User Agent, ISE, captive portal etc.

Association of that user identity to a group is via the selections you have available on the screenshot you shared.

Re: ASA with domain users

adamgibs7 — Sun, 26 Nov 2017 05:07:02 GMT

sure will rate and uptill now I have rated for your replies,

my question was if I don't include groups in the user download page Firesight will display me all the groups when configuring the access policies, so I don't have to include or exclude , this is an extra feature by FS that precisely displays only those group while configuring access policies

Thanks

Re: ASA with domain users

Marvin Rhoads — Sun, 26 Nov 2017 12:09:31 GMT

If you do not specify any groups to include, the system retrieves user data for all the groups that match the parameters you provided. For performance reasons, Cisco recommends that you explicitly include only the groups that represent the users you want to use in access control.

In my lab, I have specified only Domain Users and Domain Admins in my Realm configuration (screenshot #1 below). Thus, when configuring an ACP I only have those groups and their members to choose among when configuring a rule (screenshot #2).

Re: ASA with domain users

adamgibs7 — Mon, 27 Nov 2017 18:59:44 GMT

thanks