Best Practices for User Identity

We recommend you review the following information before you set up identity policies.

• Know user limits

• Health monitor

• Use latest version of ISE/ISE-PIC, two types of remediation

• Captive portal requires routed interface, several individual tasks

Microsoft Active Directory and LDAP

The system supports Active Directory, LDAP, and other user repositories for user awareness and control. The association between an Active Directory or LDAP repository and the Security Cloud Control is referred to as a realm. You should create one realm per LDAP server or Active Directory domain. For details about which versions are supported, see Supported Servers for Realms.

The only user identity source supported by LDAP is captive portal. To use other identity sources (with the exception of ISE/ISE-PIC), you must use Active Directory.

For Active Directory only:

• Create one directory per domain controller.

  For details, see Create an LDAP Realm or an Active Directory Realm and Realm Directory

• Users and groups in trust relationships between two domains are supported provided you add all Active Directory domains and domain controllers as realms and directories, respectively.

  For more information, see Realms and Trusted Domains.

Passive Identity Agent identity source

The passive identity agent software can monitor multiple Microsoft Active Directory servers and domain controllers and send user name and IP address information to the Security Cloud Control.

For more information, see The Passive Identity Agent Identity Source.

pxGrid Cloud Identity Source

The Cisco Identity Services Engine (Cisco ISE) pxGrid Cloud Identity Source enables you to use subscription and user data from Cisco ISE in cloud-delivered Firewall Management Center access control rules.

The pxGrid cloud identity source enables the use of constantly changing dynamic objects from ISE to be used for user control in access control policies in the cloud-delivered Firewall Management Center.

For more information, see About the pxGrid Cloud Identity Source.

Proxy sequence

A proxy sequence is one or more managed devices that can be used to communicate with an LDAP, Active Directory, or ISE/ISE-PIC server. It is necessary only if Security Cloud Control cannot communicate with your Active Directory or ISE/ISE-PIC server. (For example, Security Cloud Control might be in a public cloud but Active Directory or ISE/ISE-PIC might be in a private cloud.)

Although you can use one managed device as a proxy sequence, we strongly recommend you set up two or more so that, in the event one managed device cannot communicate with Active Directory or ISE/ISE-PIC, another managed device can take over.

Health monitor

The Security Cloud Control health monitor provides valuable information about the status of various Security Cloud Control functions, including:

• User/realm mismatches

• Snort memory usage

• ISE connection status

For more information about health modules, see Health Modules.

To set up policies to monitor health modules, see Creating Health Policies.

Use the latest version of ISE/ISE-PIC

If you expect to use the ISE/ISE-PIC identity source, we strongly recommend you always use the latest version to make sure you get the latest features and bug fixes.

pxGrid 2.0 (which is used by version 2.6 patch 6 or later; or 2.7 patch 2 or later) also changes the remediation used by ISE/ISE-PIC from Endpoint Protection Service (EPS) to Adaptive Network Control (ANC). If you upgrade ISE/ISE-PIC, you must migrate your mediation policies from EPS to ANC.

More information about using ISE/ISE-PIC can be found in ISE/ISE-PIC Guidelines and Limitations.

To set up the ISE/ISE-PIC identity source, see How to Configure ISE/ISE-PIC for User Control.

Captive portal information

You can use captive portal active authentication with any of the following:

• LDAP

  For more information, see The Captive Portal Identity Source.

• Microsoft AD

  For more information, see The Captive Portal Identity Source.

• Microsoft Azure AD (SAML)

  For more information, see Create a Microsoft Azure AD (SAML) Realm.

TS Agent information

The TS Agent user identity source is required to identify user sessions on a Windows Terminal Server. The TS Agent software must be installed on the Terminal Server machine as discussed in the Cisco Terminal Services (TS) Agent Guide. In addition, you must synchronize the time on your TS Agent server with the time on the Security Cloud Control.

TS Agent data is visible in the Users, User Activity, and Connection Event tables and can be used for user awareness and user control.

For more information, see TS Agent Guidelines.

Associate the identity policy with an access control policy

After you configure your realm, directory, and user identity source, you must set up identity rules in an identity policy. To make the policy effective, you must associate the identity policy with an access control policy.

For more information about creating an identity policy, see Create an Identity Policy.

For more information about creating identity rules, see Create an Identity Rule.

To associate an identity policy with an access control policy, see Associating Other Policies with Access Control.