topic Re: FTD with AD - Stop supporting in 7.x.x in Network Security

FTD with AD - Stop supporting in 7.x.x

loc.nguyen — Wed, 18 May 2022 00:19:15 GMT

Hi,

It looks like Cisco FTD will not support Authentication using Microsoft Active directory from very 7.x.x.

It will use Cisco ISE-PIC. Is it true?

https://www.cisco.com/c/en/us/products/collateral/security/firesight-management-center/bulletin-c25-744508.html

Thanks

Loc

"Support for Cisco Firepower User Agent is deprecated and will be removed in a future release

Re: FTD with AD - Stop supporting in 7.x.x

Sheraz.Salim — Wed, 18 May 2022 00:35:22 GMT

This is correct

Software maintenance support for Cisco Firepower User Agent (all versions) will end on 30 November 2020. No patches or maintenance releases will be provided for Cisco Firepower User Agent after 30 November 2020.

Cisco Firepower User Agent will continue to function with the Cisco Firepower Management Center up to and including version 6.6.

onward 6.6 no function for User Agent is available. only way is the ISE-PIC.

Re: FTD with AD - Stop supporting in 7.x.x

loc.nguyen — Wed, 18 May 2022 14:03:36 GMT

Thanks. It looks like we can use local aaa/database on the firewall for authentication?

if yes, do know if there is a tool to migrate accounts from AD to the local firewall?

Re: FTD with AD - Stop supporting in 7.x.x

Rob Ingram — Wed, 18 May 2022 14:38:58 GMT

@loc.nguyen For RAVPN (if that is what you are authenticating) you can still authenticate via RADIUS, LDAP or AD, you don't need to migrate to local aaa database. https://www.cisco.com/c/en/us/td/docs/security/firepower/70/configuration/guide/fpmc-config-guide-v70/firepower_threat_defense_remote_access_vpns.html

How if you want passive authentication, you'd need to use ISE or as already mentioned ISE-PIC, which is the direct replacement for Firepower User Agent. If you have an active support contract you can get ISE-PIC at no additional cost - as per your initial link.

Re: FTD with AD - Stop supporting in 7.x.x

Sheraz.Salim — Wed, 18 May 2022 15:09:34 GMT

for authentication you can use Radius server either ISE, LDAP and AD.as mentioned by Rob if you have cisco support contract you can get ISE-PIC for free.

Re: FTD with AD - Stop supporting in 7.x.x

loc.nguyen — Wed, 18 May 2022 15:21:04 GMT

I tried to upgrade the FMC to 7.x.x, it said I need to disable the Identity sources which is my AD.

That made me think I need to migrate my AD account to local on firewall as the first step. Is it true?

Second step, I need to sert up ISE-PIC

Re: FTD with AD - Stop supporting in 7.x.x

Sheraz.Salim — Wed, 18 May 2022 16:00:56 GMT

You can get the ISE-PIC from Cisco softwares download if you have a valid service support contract. Once downloaded as virtual appliances spin up and configure it. Than add your ISE to FMC.

Did you not check the Cisco release notes prior to upgrade the FMC

Re: FTD with AD - Stop supporting in 7.x.x

Rob Ingram — Wed, 18 May 2022 16:29:01 GMT

@loc.nguyen authentication to the FMC or FTD for management purposes is via LDAP or RADIUS, not Firepower User Agent.

Double check your authentication settings, example of external authentication.

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/215538-configure-firepower-management-center-an.html

Re: FTD with AD - Stop supporting in 7.x.x

Marvin Rhoads — Wed, 18 May 2022 19:10:29 GMT

Note that per the bulletin in the original posting, ISE-PIC is NOT free if you have the 2-, 5- or 10-device FMCv license. For all other FMC types it is free.