FTD support two types of authentication:
- Active Authentication
- Captive Portal Authentication or Active Authentication prompts a login page and user credentials are required for a host to get the internet access.
- Passive Authentication (called as single sign on)
- This is achieved by having a feed to FMC to share information about users authentication status
- Users will seamlessly get internet access if FMC gets information about successful user authentication
To configure user based policies
- You need to add realm to FMC in order to download users list and create per-user/per-group ACP
- You need to add identity source to feed FMC with authentication status about users (for passive authentication)
Here is the combination of supported identity sources and realms
|
User Identity Source
|
Policy
|
Realm Requirements
|
Type
|
Authentication Type
|
User Awareness?
|
User Control?
|
|
User Agent
|
Identity
|
Microsoft Active Directory
|
Authoritative logins
|
Passive
|
Yes
|
Yes
|
|
ISE
|
Identity
|
Microsoft Active Directory
|
Authoritative logins
|
Passive
|
Yes
|
Yes
|
|
TS Agent
|
Identity
|
Microsoft Windows Terminal Server
|
Authoritative logins
|
Passive
|
Yes
|
Yes
|
|
Captive portal
|
Identity
|
LDAP or
Microsoft Active Directory
|
Authoritative logins
|
Active
|
Yes
|
Yes
|
|
Traffic-based detection
|
Network discovery
|
n/a
|
Non-authoritative logins
|
n/a
|
Yes
|
No
|
