11-22-2024 11:20 AM
We are considering purchasing a license for URL filtering to use with FirePower on an FPR1120. I wanted to see what is required to integrate the URL filtering with active directory so that it applies certain policies to certain users and groups. The goal for this being that some users are more or less restricted than others. I have searched but haven't found much on this and it seems like the method of implementation has changed somewhat recently. Is there a guide that goes over the current proper setup for this? Also is there any extra licenses required to integrate AD with Firepower URL filtering?
11-22-2024 11:27 AM
@Keegan Santos you can use AD realm/ISE/ISE-PIC - you'd need ISE/ISE-PIC licensing.
or if running the latest FMC version 7.6 you can use the Passive Identity agent
11-22-2024 11:35 AM
ISE-PIC is a license that is purchased for the FPR 1120 in addition to the URL filtering license?
I can update it to 7.6 if necessary, but would the passive identity agent also require a ISE-PIC license?
Do either of these option require a client to be deployed on the end user's device? For devices that do not have a user authenticated to AD, such as an Android or iOS phone, how does the filtering get applied? Can it be applied per VLAN or network? For example if we setup a "Admin" and "User" network can different filtering policies be applied to those networks?
11-22-2024 11:44 AM
@Keegan Santos ISE-PIC is a separate license to the URL Filtering license.
You do not need to use Cisco ISE with the passive identity agent. Passive ID agent works by sending session data (event logs) from Microsoft Active Directory (AD) to the FMC. You create an Identity Policy to control trafffic based on AD group/user etc
11-22-2024 11:53 AM
So then based on your response an agent would be required on the computers with Passive Identity correct? How is traffic filtering if a device doesn't have the agent installed? Such as with an Android or iOS phone.
11-22-2024 12:02 PM
@Keegan Santos You can just install on an AD server, so it would send all AD authentication events. You don't necessarily need to install on windows AD domain joined endpoints, although you can install on a client. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/760/management-center-device-config-76/passive-identity-agent.html
How are the android and iOS devices authenticating to the network? If they authenticate some how to AD and generate the necessary Windows event IDs (as per the guide already provided), then the Passive ID agent will receive those events.
11-22-2024 12:31 PM
They authenticate with a WPA key. Devices on the guest network don't authenticate, they connect to an open network that is restricted from accessing any network except the Internet and has its bandwidth limited. We wouldn't restrict the guest network heavily, we would still like to restrict access to a few select categories such as adult content though.
11-22-2024 12:37 PM
@Keegan Santos you could use a captive portal to authenticate the guest users https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/760/management-center-device-config-76/identity-captive-portal.html
Or just apply a normal Access Control rule for the guest network(s) that restrict access to adult content.
You can still apply different Access Control rules for your AD devices based on the information learnt from the ID agent (as per the above information).
11-22-2024 12:22 PM
https://rayka-co.com/lesson/cisco-ftd-identity-policy-active-authentication/
Use active authc and attach users to ACP URL filter.
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide