Re: FTD with AD - Stop supporting in 7.x.x

loc.nguyen · ‎05-17-2022

Hi,

It looks like Cisco FTD will not support Authentication using Microsoft Active directory from very 7.x.x.

It will use Cisco ISE-PIC. Is it true?

https://www.cisco.com/c/en/us/products/collateral/security/firesight-management-center/bulletin-c25-744508.html

Thanks

Loc

"Support for Cisco Firepower User Agent is deprecated and will be removed in a future release

"

Sheraz.Salim · ‎05-17-2022

This is correct

Software maintenance support for Cisco Firepower User Agent (all versions) will end on 30 November 2020. No patches or maintenance releases will be provided for Cisco Firepower User Agent after 30 November 2020.

Cisco Firepower User Agent will continue to function with the Cisco Firepower Management Center up to and including version 6.6.

onward 6.6 no function for User Agent is available. only way is the ISE-PIC.

please do not forget to rate.

loc.nguyen · ‎05-18-2022

Thanks. It looks like we can use local aaa/database on the firewall for authentication?

if yes, do know if there is a tool to migrate accounts from AD to the local firewall?

Rob Ingram · ‎05-18-2022

@loc.nguyen For RAVPN (if that is what you are authenticating) you can still authenticate via RADIUS, LDAP or AD, you don't need to migrate to local aaa database. https://www.cisco.com/c/en/us/td/docs/security/firepower/70/configuration/guide/fpmc-config-guide-v70/firepower_threat_defense_remote_access_vpns.html

How if you want passive authentication, you'd need to use ISE or as already mentioned ISE-PIC, which is the direct replacement for Firepower User Agent. If you have an active support contract you can get ISE-PIC at no additional cost - as per your initial link.

loc.nguyen · ‎05-18-2022

I tried to upgrade the FMC to 7.x.x, it said I need to disable the Identity sources which is my AD.

That made me think I need to migrate my AD account to local on firewall as the first step. Is it true?

Second step, I need to sert up ISE-PIC

Sheraz.Salim · ‎05-18-2022

You can get the ISE-PIC from Cisco softwares download if you have a valid service support contract. Once downloaded as virtual appliances spin up and configure it. Than add your ISE to FMC.

Did you not check the Cisco release notes prior to upgrade the FMC

please do not forget to rate.

Rob Ingram · ‎05-18-2022

@loc.nguyen authentication to the FMC or FTD for management purposes is via LDAP or RADIUS, not Firepower User Agent.

Double check your authentication settings, example of external authentication.

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/215538-configure-firepower-management-center-an.html

Sheraz.Salim · ‎05-18-2022

for authentication you can use Radius server either ISE, LDAP and AD.as mentioned by Rob if you have cisco support contract you can get ISE-PIC for free.

please do not forget to rate.

Marvin Rhoads · ‎05-18-2022

Note that per the bulletin in the original posting, ISE-PIC is NOT free if you have the 2-, 5- or 10-device FMCv license. For all other FMC types it is free.