topic Re: Firepower URL Filtering Active Directory Integration in Network Security

Firepower URL Filtering Active Directory Integration

Keegan Santos — Fri, 22 Nov 2024 19:20:08 GMT

We are considering purchasing a license for URL filtering to use with FirePower on an FPR1120. I wanted to see what is required to integrate the URL filtering with active directory so that it applies certain policies to certain users and groups. The goal for this being that some users are more or less restricted than others. I have searched but haven't found much on this and it seems like the method of implementation has changed somewhat recently. Is there a guide that goes over the current proper setup for this? Also is there any extra licenses required to integrate AD with Firepower URL filtering?

Re: Firepower URL Filtering Active Directory Integration

Rob Ingram — Fri, 22 Nov 2024 19:27:34 GMT

@Keegan Santos you can use AD realm/ISE/ISE-PIC - you'd need ISE/ISE-PIC licensing.

https://pseudoco.cisco.com/c/en/us/td/docs/security/firepower/70/configuration/guide/fpmc-config-guide-v70/create_and_manage_realms.html

https://pseudoco.cisco.com/c/en/us/td/docs/security/firepower/70/configuration/guide/fpmc-config-guide-v70/control_users_with_ise_ise_pic.html

or if running the latest FMC version 7.6 you can use the Passive Identity agent

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/760/management-center-device-config-76/m_user-control-with-the-passive-identity-agent.html

Re: Firepower URL Filtering Active Directory Integration

Keegan Santos — Fri, 22 Nov 2024 19:35:44 GMT

ISE-PIC is a license that is purchased for the FPR 1120 in addition to the URL filtering license?

I can update it to 7.6 if necessary, but would the passive identity agent also require a ISE-PIC license?

Do either of these option require a client to be deployed on the end user's device? For devices that do not have a user authenticated to AD, such as an Android or iOS phone, how does the filtering get applied? Can it be applied per VLAN or network? For example if we setup a "Admin" and "User" network can different filtering policies be applied to those networks?

Re: Firepower URL Filtering Active Directory Integration

Rob Ingram — Fri, 22 Nov 2024 19:44:26 GMT

@Keegan Santos ISE-PIC is a separate license to the URL Filtering license.

You do not need to use Cisco ISE with the passive identity agent. Passive ID agent works by sending session data (event logs) from Microsoft Active Directory (AD) to the FMC. You create an Identity Policy to control trafffic based on AD group/user etc

Re: Firepower URL Filtering Active Directory Integration

Keegan Santos — Fri, 22 Nov 2024 19:53:41 GMT

So then based on your response an agent would be required on the computers with Passive Identity correct? How is traffic filtering if a device doesn't have the agent installed? Such as with an Android or iOS phone.

Re: Firepower URL Filtering Active Directory Integration

Rob Ingram — Fri, 22 Nov 2024 20:02:56 GMT

@Keegan Santos You can just install on an AD server, so it would send all AD authentication events. You don't necessarily need to install on windows AD domain joined endpoints, although you can install on a client. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/760/management-center-device-config-76/passive-identity-agent.html

How are the android and iOS devices authenticating to the network? If they authenticate some how to AD and generate the necessary Windows event IDs (as per the guide already provided), then the Passive ID agent will receive those events.

Re: Firepower URL Filtering Active Directory Integration

MHM Cisco World — Fri, 22 Nov 2024 20:22:57 GMT

https://rayka-co.com/lesson/cisco-ftd-identity-policy-active-authentication/

Use active authc and attach users to ACP URL filter.

MHM

Re: Firepower URL Filtering Active Directory Integration

Keegan Santos — Fri, 22 Nov 2024 20:31:31 GMT

They authenticate with a WPA key. Devices on the guest network don't authenticate, they connect to an open network that is restricted from accessing any network except the Internet and has its bandwidth limited. We wouldn't restrict the guest network heavily, we would still like to restrict access to a few select categories such as adult content though.

Re: Firepower URL Filtering Active Directory Integration

Rob Ingram — Fri, 22 Nov 2024 20:37:45 GMT

@Keegan Santos you could use a captive portal to authenticate the guest users https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/760/management-center-device-config-76/identity-captive-portal.html

Or just apply a normal Access Control rule for the guest network(s) that restrict access to adult content.

You can still apply different Access Control rules for your AD devices based on the information learnt from the ID agent (as per the above information).