Firepower 6.2 / Identity Policy with authentication rules required

Report Inappropriate Content · ‎05-18-2017

Hello everyone!

I've got a Firepower v6.2 and I'm trying to configure ACLs including filtering by users. I managed to integrate the Firepower with Active Directory, that is I can download users and groups succesfully.

I've already configured an Identity Policy included in the Standard Rules. The authentication is passive. However, when I'm trying to add an ACL in the users tab, there is a warning saying "Identity Policy with authentication rules required" and I can't add users to the ACL.

Any thoughts?.

Cheers,

Fernanda

Marvin Rhoads · ‎05-18-2017

Have you setup a Cisco User Agent in your domain (or have an alternate source of user to IP mapping like ISE/ISE-PIC available)?

http://www.cisco.com/c/en/us/td/docs/security/firepower/621/configuration/guide/fpmc-config-guide-v621/user_identity_sources.html#ID-2225-00000063

Report Inappropriate Content · ‎05-19-2017

Hello Marvin

Thanks for replying. Yes, I already did so. I've got a Cisco User Agent in my domain and the integration is correct. In fact, the users and groups were downloaded succesfully and it can be seen in the Task tab. I think the issue is that the Identify Policy has not been applied correctly. That's why when creating an ACL, the Firepower is not seeing the configured policy.

Regards,

Fernanda

Marvin Rhoads · ‎05-19-2017

That may well be the case. Once you have created an Identity Policy you must explicitly reference it in your Access Control Policy.

Here's where you do that:

Report Inappropriate Content · ‎05-19-2017

Great!. It worked!.

Many thanks.

Marvin Rhoads · ‎05-19-2017

You're welcome.

Thanks for letting us know it's resolved and for the rating.

InTheJuniverse · ‎12-21-2018

Marvin, I follow your posts very closely and they are almost always precise.

Thank you.