Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1112
Views
15
Helpful
8
Replies

FTD with AD - Stop supporting in 7.x.x

loc.nguyen
Level 1
Level 1

‎05-17-2022 05:19 PM

Hi, 

 

It looks like Cisco FTD will not support Authentication using Microsoft Active directory from very 7.x.x. 

 

It will use Cisco ISE-PIC. Is it true?

 

https://www.cisco.com/c/en/us/products/collateral/security/firesight-management-center/bulletin-c25-744508.html

 

Thanks

 

Loc

 

"Support for Cisco Firepower User Agent is deprecated and will be removed in a future release

a-FMC.jpg

"

0 Helpful
8 Replies 8

Sheraz.Salim
VIP
VIP

‎05-17-2022 05:35 PM

This is correct 

 

Software maintenance support for Cisco Firepower User Agent (all versions) will end on 30 November 2020. No patches or maintenance releases will be provided for Cisco Firepower User Agent after 30 November 2020.

 

Cisco Firepower User Agent will continue to function with the Cisco Firepower Management Center up to and including version 6.6.

 

onward 6.6 no function for User Agent is available. only way is the ISE-PIC.

please do not forget to rate.

loc.nguyen
Level 1
Level 1

‎05-18-2022 07:03 AM

Thanks. It looks like we can use local aaa/database on the firewall for authentication?

if yes, do know if there is a tool to migrate accounts from AD to the local firewall?

0 Helpful

Rob Ingram
VIP
VIP
In response to loc.nguyen

‎05-18-2022 07:38 AM

@loc.nguyen For RAVPN (if that is what you are authenticating) you can still authenticate via RADIUS, LDAP or AD, you don't need to migrate to local aaa database. https://www.cisco.com/c/en/us/td/docs/security/firepower/70/configuration/guide/fpmc-config-guide-v70/firepower_threat_defense_remote_access_vpns.html

 

How if you want passive authentication, you'd need to use ISE or as already mentioned ISE-PIC, which is the direct replacement for Firepower User Agent. If you have an active support contract you can get ISE-PIC at no additional cost - as per your initial link.

 

 

 

loc.nguyen
Level 1
Level 1
In response to Rob Ingram

‎05-18-2022 08:21 AM

I tried to upgrade the FMC to 7.x.x, it said I need to disable the Identity sources which is my AD.

That made me think I need to migrate my AD account to local on firewall as the first step. Is it true?

Second step, I need to sert up ISE-PIC 

 

a-FMC2.jpg

0 Helpful

Sheraz.Salim
VIP
VIP
In response to loc.nguyen

‎05-18-2022 09:00 AM

You can get the ISE-PIC from Cisco softwares download if you have a valid service support contract. Once downloaded as virtual appliances spin up and configure it. Than add your ISE to FMC.
 
Did you not check the Cisco release notes prior to upgrade the FMC
please do not forget to rate.
0 Helpful

Rob Ingram
VIP
VIP
In response to loc.nguyen

‎05-18-2022 09:28 AM - edited ‎05-18-2022 09:29 AM

@loc.nguyen authentication to the FMC or FTD for management purposes is via LDAP or RADIUS, not Firepower User Agent.

 

Double check your authentication settings, example of external authentication.

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/215538-configure-firepower-management-center-an.html

 

 

0 Helpful

Sheraz.Salim
VIP
VIP
In response to loc.nguyen

‎05-18-2022 08:09 AM

for authentication you can use Radius server either ISE, LDAP and AD.as mentioned by Rob if you have cisco support contract you can get ISE-PIC for free.

please do not forget to rate.

Marvin Rhoads
Hall of Fame
Hall of Fame

‎05-18-2022 12:10 PM

Note that per the bulletin in the original posting, ISE-PIC is NOT free if you have the 2-, 5- or 10-device FMCv license. For all other FMC types it is free.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card