My FMC is configured with Active Directory as Identity Source.
I have a rule that blocks websites categorized as Gambling for AD user group "RestrictedUsers".
Now, I want to change my Identity Source from AD to ISE and retain the existing Rule i.e., AD Group "RestrictedUsers" should not access "Gambling" websites.
Do I change anything in the existing rules or simply changing Identity Source from AD to ISE will do?
Do you mean change the Identity Source from Firepower User Agent to ISE? The Firepower receives user to IP mappings from the identity source, while the AD user and group information comes directly from AD or LDAP (Realm configuration). Your Firepower ACP and Identity Rules reference your Realm configuration, so as long as that remains the same, you would not need to change anything.
Thank you, Govindhan.
I may have used incorrect terminology, I'll rephrase.
My Current Setup:
Though we have a user agent configured, we aren't using it for it's purpose, as in, it just exists here and not installed on AD etc, so it's just sitting there. The problem is, the user agent isn't reliable, as far as we have noticed, it maintains the so called 'state table of last connection for a user', and even if they change the IP address, it records the old IP, not new. So, we want information to come from AD and ISE, so that we have end to end visibility of the username and IP address.
I am creating a Policy to Allow URL xyz to AD Group "_Contracts_Admin", and this authentication / authorization (?) is I believe happening on AD?
I want the authentication / authorisation to happen on ISE instead of AD, as it is our contralized AAA server.
PS: ISE is integrated with AD and I have rules on ISE for authentication / authorisation to network
What do I change to achieve this?
I have already configure Identity Services Engine under Integration > Identity Sources