Menu Close

FMC AD Realm

In this post we will cover all the required steps to create a realm on Cisco FMC with AD, but let me first explain in a nutshell what is a realm and why we need it. There is a couple of requirements that we need to configure on the FMC before an identity policy can work properly. One of the requirements is the realm and another is the agent that will actively or passively feed the FMC with the users and groups IP mapping and their login activities on the domain controller.

A realm is a connector between the FMC and a remote entity. The remote entity will have visibility of the users and groups directories, but it does not necessarily have to be directly connected to those directories. The entity can also learn the users and groups metadata passively and then share it with the FMC.

An example of this is when leveraging ISE passive identity. In that case, ISE will passively learn about the users and groups from the AD, and then it will share the metadata with the FMC through pxGrid.

The FMC will then use those data to perform user awareness. This means the FMC will have visibility of the AD users and groups which can be used on the ACP rules. This gives a lot of advantages comparing to the traditional way of using the IP addresses for the traffic filtering. The main advantages of this is the ability to track down the user activity, and to react quickly in case of a security incidents.

The realm is an important part of this process, but we also need the agent to feed the FMC with the users and groups metadata, as well as the identity policy itself. There is much more about identity policy which I will cover in another post, but for now, let's just focus on how to create a realm on FMC with AD type.

Topology:

FMC AD Realm

1) Go to System > Integration:

FMC AD Realm

2) Click on Realms:

FMC AD Realm

3) Create a realm:

You can click on any of the below two highlighted options.

FMC AD Realm

4) Active Directory Details:

Fill up all your AD details, and then click on Test AD Join to verify the connectivity between the FMC and the AD.

FMC AD Realm

You should get a similar message as the below. If the details your typed in are correct and you continue to receive an error, just ignore it. So, click OK and go to the next step. The reason why I am saying this is because sometimes the FMC might return an error message with no obvious reasons when the connection is actually working.

FMC AD REALM

5) Click OK twice and click on Add directory:

FMC AD Realm

If you did not import the certificate into the FMC yet, you can do it directly by clicking on the green plus button, or, by going to Objects > Object Management > PKI > Trusted CAs > Add Trusted CA. Either way, it will ask you to add a name and then to browse or to paste the certificate content.

6) Directory details:

Add the directory details and click on Test to test the directory connectivity. Type the active directory FQDN if you want to use LDAPS, and select the LDAPS public certificate from the drop down menu.

FMC AD Realm

You should get a connection succeeded message similar to this:

FMC AD Realm

7) Click OK and go to User Download:

FMC AD Realm

FMC AD Realm

8) Select the AD groups:

You should see the AD groups on the User Download left side pane. Check the tick box next to Download users and groups. You can specify the time to auto download the users and groups from the AD. You can also set a timer in hours to repeat this operation. Select the AD group you want the FMC to use for user awareness and click on Add to Include.

FMC AD Realm

9) Click Save:

FMC AD Realm

10) Enable the realm:

FMC AD Realm

11) Click on the download button:

We need to do this because the users and groups are not yet downloaded to the FMC. Hence, if you go to the access control policy (ACP), you would see nothing if you click on the realm from within the ACP rules.

The exception for this if you have set a time to download the users and groups that has passed already by now. In that case you don't need to manually download the users and groups.

FMC AD Realm

12) Confirm the users and groups download:

FMC AD Realm

FMC AD Realm

13) Verify the users and groups download:

To verify the users and groups successful download, click on the notifications button and go to Tasks. We could click on the Message Center Tasks Tab hyperlink in the above image to go to the same place.

FMC AD Realm

I will cover the agent and the Identity Policy in the next coming posts.

I hope this has been helpful, and thank you for reading.

Posted in Blog, Firepower, FMC, Security

Related Posts

  • >
    Scroll To Top
    Share via
    Copy link
    Powered by Social Snap