Re: FirePower1010 Identity Source unknown error

ratemaki · ‎10-23-2020

I am trying to add an identity source and fill in all the fields. But the test failed:
"Cannot connect to realm for Identity policies. Message returned: The connection test failed with an unknown error."
Domain controller is available from FirePower, telnet on 389 port is successfully.
Software is 6.6.0.1-7.

What can be wrong?

Mohammed al Baqari · ‎10-23-2020

Are you able to resolve the domain name from firepower? Also, are you
adding it to firepower as domain controller or ldap server. If ldap server
then test is expected to fail. Try it as domain controller.

***** please remember to rate useful posts

ratemaki · ‎10-23-2020

Yes, domain name resolves from firepower.

And I added it as domain controller. I can add it only as AD but not as LDAP.

S3C · ‎10-23-2020

Hello!

I have been trying to do the same but ive read that identity policies uses the Management port. So if you still want to manage the FDM then you need a switch between the DC & MGMT.

Firepower MGMT -> Switch -> DC. But config the switch so you can access the FPR MGMT from another port on the switch. Also, setting a Data Interface for "Management Only" doesnt work either. (Didnt for me).

Though in my situation above wasnt a option so I let this go.

ratemaki · ‎10-23-2020

Domain controller is able from Management Interface firepower.

There is not ip adress on the diagnostic interface but it is up and mode is routed.

I use Device manager to configure firepower and this menu doesn't exist: "Firepower MGMT -> Switch -> DC."

Aref Alsouqi · ‎10-25-2020

Did you test the policy? or you just tried the configuration test? I've seen a few times the test failing but actually the connectivity between the AD the and device is working.

ratemaki · ‎10-26-2020

@Aref Alsouqi wrote:
Did you test the policy? or you just tried the configuration test? I've seen a few times the test failing but actually the connectivity between the AD the and device is working.

Yes, I tried to add the group of domain users in policy but there was just only "name_of_Identity\all users".

Aref Alsouqi · ‎10-26-2020

Never tried the all users before, I would try to specify the groups, and try again.

ratemaki · ‎10-27-2020

I created the policy in access control: Source Zone - Inside zone, Destination Zone - Outside Zone, Users - "name_of_Identity\test_group_users".
But there are no hits in this policy.

And reason is added users in policy. Without users the policy is working.

Aref Alsouqi · ‎10-28-2020

How did you configure the identity policy on the FTD? the FTD needs to build up the user to IP addresses mapping before the user based policy can work.

ratemaki · ‎10-29-2020

The identity policy settings are in attachment sreen. AD Identity Source is Identity Realm (AD)

How can I mapping users to IPs?

Actually, I need to use access control rule and implement it by group of domain users and see the activity domain users in log also.

But could be I do something wrong.

Aref Alsouqi · ‎10-29-2020

As far as I know there would not be a manual way to build up the users to IP mapping. That is something the Firepower builds up by using the identity policy and identity sources such as ISE or AnyConnect for passive authentication. In your case, I see you configured AnyConnect with passive authentication. If there is no AnyConnect users activity to allow the Firepower to build up the mapping database, the access control policy using the AD realm would not work. That's because the Firepower would not have the user to IP mapping created, so it won't be able to match or imply any security rule on the realm users.