Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1422
Views
5
Helpful
2
Replies

Change Identity Source and retain Rules

InTheJuniverse
Level 1
Level 1

‎06-30-2019 11:08 AM - edited ‎02-21-2020 09:15 AM

My FMC is configured with Active Directory as Identity Source.

 

I have a rule that blocks websites categorized as Gambling for AD user group "RestrictedUsers".

 

Now, I want to change my Identity Source from AD to ISE and retain the existing Rule i.e., AD Group "RestrictedUsers" should not access "Gambling" websites.

 

Do I change anything in the existing rules or simply changing Identity Source from AD to ISE will do?

Labels:
0 Helpful
2 Replies 2

Rahul Govindan
VIP Alumni
VIP Alumni

‎07-02-2019 05:40 AM

Do you mean change the Identity Source from Firepower User Agent to ISE? The Firepower receives user to IP mappings from the identity source, while the AD user and group information comes directly from AD or LDAP (Realm configuration). Your Firepower ACP and Identity Rules reference your Realm configuration, so as long as that remains the same, you would not need to change anything. 

InTheJuniverse
Level 1
Level 1
In response to Rahul Govindan

‎07-04-2019 12:39 AM - edited ‎07-04-2019 04:09 AM

Thank you, Govindhan.

 

I may have used incorrect terminology, I'll rephrase.

 

My Current Setup:

 

Though we have a user agent configured, we aren't using it for it's purpose, as in, it just exists here and not installed on AD etc, so it's just sitting there. The problem is, the user agent isn't reliable, as far as we have noticed, it maintains the so called 'state table of last connection for a user', and even if they change the IP address, it records the old IP, not new. So, we want information to come from AD and ISE, so that we have end to end visibility of the username and IP address.

 

My ACP:

 

ACP.png

 

I am creating a Policy to Allow URL xyz to AD Group "_Contracts_Admin", and this authentication / authorization (?) is I believe happening on AD?

 

I want the authentication / authorisation to happen on ISE instead of AD, as it is our contralized AAA server.

 

PS: ISE is integrated with AD and I have rules on ISE for authentication / authorisation to network


What do I change to achieve this?

 

I have already configure Identity Services Engine under Integration > Identity Sources

 

ise integrated.png

 

 

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card