Re: FTD/FDM to AD using Identity Source but not with MGMT port

S3C · ‎10-12-2020

Hello!

I want to connect the FTD to a AD in order to setup ACLs on user level. But what ive read its only doable from the MGMT port.

Management interface, for: identity policies.
Data interface, for: remote access VPN (outside interface).

Is it possible to change above? That a Data interface is also for identity policies?

If so, how do I do that? static route from mgmt or?

As I need the MGMT port to manage the device

https://www.cisco.com/c/en/us/td/docs/security/firepower/660/configuration/guide/fpmc-config-guide-v66/create_and_manage_realms.html#Cisco_Task_in_List_GUI.dita_8129dc2d-c032-440d-a24b-9374c4861449

Thanks a lot!

Aref Alsouqi · ‎10-12-2020

What version of FDM is running on the FTD? and are you planning to use active or passive authentication on the identity policy? if the plan is to use passive authentication, then you need to define an identity source. I believe with the 6.6.x you can just use ISE as the identity source. Identity policy is not conditioned to the management interface, in it, you can define the source and destination zones/networks of all data interfaces.

S3C · ‎10-12-2020

6.6.1-90

Passive for now. I know a option is to connect it to a switch and route it from there but atm thats no option.

Cannot connect to realm. Messages returned:

For identity policies - the connection test failed.

Interface 1/1 is connected to the DC/AD and I can ping IP+Hostname. Also my ACLs for the DC is working too, so theres no issues in connectivity, therefore that its searching for the connection through MGMT seems to be valid

Thx

Marius Gunnerud · ‎10-12-2020

I don't quite understand your question. The management interface is used for, well, management traffic. This would include to the box management as well as retrieving AD or LDAP user information. The actual ACP rules are assigned to the relevant zones and interfaces.

--
Please remember to select a correct answer and rate helpful posts

S3C · ‎10-12-2020

Exactly but in the planned setup, I need the management port for supervising of the device/whole network, so I cant use the port for anything else. As I already have port 1/1 connected to the AD.

Therefore my question is if its possible to make the identity source not to use management interface.

Marius Gunnerud · ‎10-12-2020

When you say supervising I assume you mean event monitoring? As far as I know only the 4100 and 9300 series support two management interfaces (one for mgmt and one for event). If you do not use these models you will not be able to have separate interfaces for the two.

--
Please remember to select a correct answer and rate helpful posts

S3C · ‎10-12-2020

Correct and some configuring. As the FW will act as a router, all parts/departments of the network go through the FW.

Im using the 1000 series. So only option is to get a switch in-between or not use the Identity source at all / ISE?

Aref Alsouqi · ‎10-12-2020

I don't think you can prevent using ISE as the identity source, I think that is the only option you have on the FDM 6.6.x for passive authc. Identity source is required for the identity policy, either via remote access VPN or ISE. You can dedicated a data interface as for management-only, and place it on the same network where you have the AD.

S3C · ‎10-14-2020

So you mean to put a interface as management only & add it for management access?

I tested to put it as a sub-int with management only with connection to AD (pingable) but still same error that test connection failed. Do i have to allowed it for access for management access as well? (attached, but isnt this access to the FDM, which data interface should have access to FDM?)

So at the moment im thinking this isnt doable without a certification server for ISE or add another switch for mgmt which both are not a option