Solved: ASA with domain users

adamgibs7 · ‎11-22-2017

Dears,

I have implemented firepower with fire sight system, my problem is when a guest connect his laptop he get the IP address and he able to connect to the internet, I want the single sign on with source fire for domain users and if the user is not a domain user then the prompt should appear for username and password.

This is achievable in fortinet How I can achieve this with ASA.

thanks

Marvin Rhoads · ‎11-25-2017

Cisco has a Configuration Example document on just this integration. Please see the following:

https://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/200329-Configure-Active-Directory-Integration-w.html

Additional details can be found in the FMC Configuration Guide here:

https://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/user_identity_sources.html#concept_6E7BBA97DD5D4883AA55185B6FEEE9BA

View solution in original post

Marvin Rhoads · ‎11-23-2017

If you are managing your ASA Firepower service module with Firepower Management Center you can setup realm integration with your AD and require all non-AD users to use captive portal. The same is not possible using only ASDM-based management.

I'm not sure where a guest user account would be defined in your scenario though.

adamgibs7 · ‎11-24-2017

Dear Marvin,

Can you route me to the documentation for the captive portal, as mentioned above in your reply.

Thanks

Marvin Rhoads · ‎11-25-2017

Cisco has a Configuration Example document on just this integration. Please see the following:

https://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/200329-Configure-Active-Directory-Integration-w.html

Additional details can be found in the FMC Configuration Guide here:

https://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/user_identity_sources.html#concept_6E7BBA97DD5D4883AA55185B6FEEE9BA

adamgibs7 · ‎11-25-2017

Dear Marvin,

Thanks for the reply and the link provided I will configure and if I get stuck anywhere I will post the error, according to the link provided I have a small query below,

Please find the attached screenshot, I am running 6.0, none of the groups are selected in the user Download page but still the user name's are seen in the connection events, file events, malware events,

Do we have to select the groups in the user download page or by default all are included as I can see user groups when I create a policy.

Thanks

Marvin Rhoads · ‎11-25-2017

You're welcome - please rate if it helped.

Re the groups, select them from the downloads page. That is where the user mapping to group is derived from.

Identification of end user identity is via one of the identity sources - User Agent, ISE, captive portal etc.

Association of that user identity to a group is via the selections you have available on the screenshot you shared.

adamgibs7 · ‎11-25-2017

sure will rate and uptill now I have rated for your replies,

my question was if I don't include groups in the user download page Firesight will display me all the groups when configuring the access policies, so I don't have to include or exclude , this is an extra feature by FS that precisely displays only those group while configuring access policies

Thanks

Marvin Rhoads · ‎11-26-2017

If you do not specify any groups to include, the system retrieves user data for all the groups that match the parameters you provided. For performance reasons, Cisco recommends that you explicitly include only the groups that represent the users you want to use in access control.

In my lab, I have specified only Domain Users and Domain Admins in my Realm configuration (screenshot #1 below). Thus, when configuring an ACP I only have those groups and their members to choose among when configuring a rule (screenshot #2).

adamgibs7 · ‎11-27-2017

thanks