topic FirePower1010 Identity Source unknown error in Network Security

FirePower1010 Identity Source unknown error

ratemaki — Fri, 23 Oct 2020 11:00:22 GMT

I am trying to add an identity source and fill in all the fields. But the test failed:
"Cannot connect to realm for Identity policies. Message returned: The connection test failed with an unknown error."
Domain controller is available from FirePower, telnet on 389 port is successfully.
Software is 6.6.0.1-7.

What can be wrong?

Re: FirePower1010 Identity Source unknown error

Mohammed al Baqari — Fri, 23 Oct 2020 17:36:02 GMT

Are you able to resolve the domain name from firepower? Also, are you
adding it to firepower as domain controller or ldap server. If ldap server
then test is expected to fail. Try it as domain controller.

***** please remember to rate useful posts

Re: FirePower1010 Identity Source unknown error

S3C — Fri, 23 Oct 2020 17:39:57 GMT

Hello!

I have been trying to do the same but ive read that identity policies uses the Management port. So if you still want to manage the FDM then you need a switch between the DC & MGMT.

Firepower MGMT -> Switch -> DC. But config the switch so you can access the FPR MGMT from another port on the switch. Also, setting a Data Interface for "Management Only" doesnt work either. (Didnt for me).

Though in my situation above wasnt a option so I let this go. 😞

Re: FirePower1010 Identity Source unknown error

ratemaki — Fri, 23 Oct 2020 17:58:59 GMT

Yes, domain name resolves from firepower.

And I added it as domain controller. I can add it only as AD but not as LDAP.

Re: FirePower1010 Identity Source unknown error

ratemaki — Fri, 23 Oct 2020 18:05:56 GMT

Domain controller is able from Management Interface firepower.

There is not ip adress on the diagnostic interface but it is up and mode is routed.

I use Device manager to configure firepower and this menu doesn't exist: "Firepower MGMT -> Switch -> DC."

Re: FirePower1010 Identity Source unknown error

Aref Alsouqi — Sun, 25 Oct 2020 12:38:07 GMT

Did you test the policy? or you just tried the configuration test? I've seen a few times the test failing but actually the connectivity between the AD the and device is working.

Re: FirePower1010 Identity Source unknown error

ratemaki — Mon, 26 Oct 2020 10:28:00 GMT

@Aref Alsouqi wrote:
Did you test the policy? or you just tried the configuration test? I've seen a few times the test failing but actually the connectivity between the AD the and device is working.

Yes, I tried to add the group of domain users in policy but there was just only "name_of_Identity\all users".

Re: FirePower1010 Identity Source unknown error

Aref Alsouqi — Mon, 26 Oct 2020 18:32:40 GMT

Never tried the all users before, I would try to specify the groups, and try again.

Re: FirePower1010 Identity Source unknown error

ratemaki — Tue, 27 Oct 2020 09:59:24 GMT

I created the policy in access control: Source Zone - Inside zone, Destination Zone - Outside Zone, Users - "name_of_Identity\test_group_users".
But there are no hits in this policy.

And reason is added users in policy. Without users the policy is working.

Re: FirePower1010 Identity Source unknown error

Aref Alsouqi — Wed, 28 Oct 2020 19:29:33 GMT

How did you configure the identity policy on the FTD? the FTD needs to build up the user to IP addresses mapping before the user based policy can work.

Re: FirePower1010 Identity Source unknown error

ratemaki — Thu, 29 Oct 2020 12:46:16 GMT

The identity policy settings are in attachment sreen. AD Identity Source is Identity Realm (AD)

How can I mapping users to IPs?

Actually, I need to use access control rule and implement it by group of domain users and see the activity domain users in log also.

But could be I do something wrong.

Re: FirePower1010 Identity Source unknown error

Aref Alsouqi — Thu, 29 Oct 2020 23:36:21 GMT

As far as I know there would not be a manual way to build up the users to IP mapping. That is something the Firepower builds up by using the identity policy and identity sources such as ISE or AnyConnect for passive authentication. In your case, I see you configured AnyConnect with passive authentication. If there is no AnyConnect users activity to allow the Firepower to build up the mapping database, the access control policy using the AD realm would not work. That's because the Firepower would not have the user to IP mapping created, so it won't be able to match or imply any security rule on the realm users.