https://community.cisco.com/t5/network-security/change-identity-source-and-retain-rules/m-p/3883187#M923194 <P>Do you mean change the Identity Source from Firepower User Agent to ISE? The Firepower receives user to IP mappings from the identity source, while the AD user and group information comes directly from AD or LDAP (Realm configuration). Your Firepower ACP and Identity Rules reference your Realm configuration, so as long as that remains the same, you would not need to change anything.&nbsp;</P> Tue, 02 Jul 2019 12:40:25 GMT Rahul Govindan 2019-07-02T12:40:25Z https://community.cisco.com/t5/network-security/change-identity-source-and-retain-rules/m-p/3882199#M923193 <P>My FMC is configured with Active Directory as Identity Source.</P><P>&nbsp;</P><P>I have a rule that blocks websites categorized as Gambling for AD user group "RestrictedUsers".</P><P>&nbsp;</P><P>Now, I want to change my Identity Source from AD to ISE and retain the existing Rule i.e., AD Group "RestrictedUsers" should not access "Gambling" websites.</P><P>&nbsp;</P><P>Do I change anything in the existing rules or simply changing Identity Source from AD to ISE will do?</P> Fri, 21 Feb 2020 17:15:26 GMT https://community.cisco.com/t5/network-security/change-identity-source-and-retain-rules/m-p/3882199#M923193 InTheJuniverse 2020-02-21T17:15:26Z https://community.cisco.com/t5/network-security/change-identity-source-and-retain-rules/m-p/3883187#M923194 <P>Do you mean change the Identity Source from Firepower User Agent to ISE? The Firepower receives user to IP mappings from the identity source, while the AD user and group information comes directly from AD or LDAP (Realm configuration). Your Firepower ACP and Identity Rules reference your Realm configuration, so as long as that remains the same, you would not need to change anything.&nbsp;</P> Tue, 02 Jul 2019 12:40:25 GMT https://community.cisco.com/t5/network-security/change-identity-source-and-retain-rules/m-p/3883187#M923194 Rahul Govindan 2019-07-02T12:40:25Z https://community.cisco.com/t5/network-security/change-identity-source-and-retain-rules/m-p/3884562#M923195 <P>Thank you, Govindhan.</P><P>&nbsp;</P><P>I may have used incorrect terminology, I'll rephrase.</P><P>&nbsp;</P><P>My Current Setup:</P><P>&nbsp;</P><P>Though we have a user agent configured, we aren't using it for it's purpose, as in, it just exists here and not installed on AD etc, so it's just sitting there. The problem is, the user agent isn't reliable, as far as we have noticed, it maintains the so called 'state table of last connection for a user', and even if they change the IP address, it records the old IP, not new. So, we want information to come from AD and ISE, so that we have end to end visibility of the username and IP address.</P><P>&nbsp;</P><P>My ACP:</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ACP.png" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/40073i313DD6D2DA1A549A/image-size/large?v=v2&amp;px=999" role="button" title="ACP.png" alt="ACP.png" /></span></P><P>&nbsp;</P><P>I am creating a Policy to Allow URL xyz to AD Group "_Contracts_Admin", and this authentication / authorization (?) is I believe happening on AD?</P><P>&nbsp;</P><P>I want the authentication / authorisation to happen on ISE instead of AD, as it is our contralized AAA server.</P><P>&nbsp;</P><P>PS: ISE is integrated with AD and I have rules on ISE for authentication / authorisation to network</P><P><BR />What do I change to achieve this?</P><P>&nbsp;</P><P>I have already configure Identity Services Engine under Integration &gt; Identity Sources</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ise integrated.png" style="width: 997px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/40074i5903752820BA3D31/image-size/large?v=v2&amp;px=999" role="button" title="ise integrated.png" alt="ise integrated.png" /></span></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 04 Jul 2019 11:09:36 GMT https://community.cisco.com/t5/network-security/change-identity-source-and-retain-rules/m-p/3884562#M923195 InTheJuniverse 2019-07-04T11:09:36Z