FTD AD Realm

  • Post author:
  • Post category:Cisco / FTD

The Cisco Secure Firewall (FTD) uses a Realm to integrate the Firewall with Microsoft Active Directory (AD) Domain so that the firewall can identify, authenticate and apply access control policies based on AD user and group information.

Cisco recommends using encryption to secure communication between the FMC and AD, this post represents configuring the integration between Cisco FMC version 7.7 and Microsoft AD Domain Controller 2016.

Configuration

To configure an AD Realm to securely communicate with the AD Domain Controllers, the FMC will use Secure LDAP (LDAPS) and must be able to: –

  • Resolve internal DNS names
  • Trust the CA certificate used by the Domain Controllers.

DNS Resolution

Ensure the FMC is using the local DNS servers to resolve hostnames, as the FMC will need to perform DNS lookups and resolve internal hostnames.

  • From the FMC navigate to Configuration > Management Interfaces

Import Trusted CA certificate

To use LDAPS and encrypt traffic between the FMC and the Active Directory Domain Controllers, the FMC must trust the CA certificate used by the Domain Controllers imported as a Trusted CA certificate.

  • From the FMC navigate to Objects > PKI > Trusted CAs
  • Click Trusted CAs
  • Enter an appropriate name
  • Click Browse and import the CA certificate

  • Click Save

Configure AD Realm

From the FMC navigate to Integration > Other Integrations > Realms

  • Click Add Realm and select Active Directory/LDAP

  • Enter an appropriate name
  • Select Type as AD (or LDAP)
  • Enter the AD Primary Domain
  • Enter the Directory Username and Directory Password – this user account must pre-exist in the Active Directory domain.
  • Enter the Base DN and Group DN – this could either be the root of the AD domain or in larger AD environments, start the lookups from a specific OU.

NOTE – Base DN refers to the location where the AD user accounts are located and Group DN refers to the location where the AD groups are located. This would defer for each organisation. To determine the Base/Group DN you wish to use, open Active Directory Users and Computes, right click the OU, navigate to Attribute Editor and locate distinguishedName value. Copy this value.

In this scenario, the AD users and AD groups are all located in the OU called “Company”.

  • Enter the Hostname/IP address of the AD Domain Controller
  • Select whether

  • Click Configure Groups and Users
  • If required, click Load Groups to fetch the AD groups
  • From the Available Groups, select the groups and click Include – these groups can be used in a policy.

  • Click Synchronize Now
  • Change the schedule from the default of 24 hours, the minimum is 1 hour.

  • Click Save
  • Click on Sync Results to confirm the Groups and Users have been downloaded.

Verification

To verify communication between the FMC and AD, you can use tcpdump and filter on the AD Domain Controller. When the two host communicate this will capture the traffic.

The output below confirms two communications between the FMC and AD Domain Controller and confirms LDAPS is used.

admin@FMC77:~$ sudo tcpdump host 192.168.10.4
HS_PACKET_BUFFER_SIZE is set to 4.
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes

12:03:15.888842 IP FMC77.32937 > SVR2K16.lab.local.domain: 10933+ A? SVR2K16.lab.local. (35)
12:03:15.895253 IP SVR2K16.lab.local.domain > FMC77.32937: 10933* 1/0/0 A 192.168.10.4 (51)
12:03:15.895525 IP FMC77.32937 > SVR2K16.lab.local.domain: 26795+ AAAA? SVR2K16.lab.local. (35)
12:03:15.914861 IP SVR2K16.lab.local.domain > FMC77.32937: 26795* 0/1/0 (82)
12:03:15.915755 IP FMC77.58158 > SVR2K16.lab.local.ldaps: Flags [S], seq 3015464687, win 64240, options [mss 1460,sackOK,TS val 4229491069 ecr 0,nop,wscale 7], length 0
12:03:15.922396 IP SVR2K16.lab.local.ldaps > FMC77.58158: Flags [S.], seq 169992327, ack 3015464688, win 8192, options [mss 1460,nop,wscale 8,sackOK,TS val 7713901 ecr 4229491069], length 0
12:03:15.922827 IP FMC77.58158 > SVR2K16.lab.local.ldaps: Flags [.], ack 1, win 502, options [nop,nop,TS val 4229491076 ecr 7713901], length 0
12:03:15.925151 IP FMC77.58158 > SVR2K16.lab.local.ldaps: Flags [P.], seq 1:320, ack 1, win 502, options [nop,nop,TS val 4229491079 ecr 7713901], length 319
12:03:15.958339 IP SVR2K16.lab.local.ldaps > FMC77.58158: Flags [.], seq 1:1449, ack 320, win 260, options [nop,nop,TS val 7713935 ecr 4229491079], length 1448
12:03:15.958446 IP FMC77.58158 > SVR2K16.lab.local.ldaps: Flags [.], ack 1449, win 501, options [nop,nop,TS val4229491112 ecr 7713935], length 0
12:03:15.959349 IP SVR2K16.lab.local.ldaps > FMC77.58158: Flags [P.], seq 1449:2006, ack 320, win 260, options [nop,nop,TS val 7713935 ecr 4229491079], length 557
12:03:15.959445 IP FMC77.58158 > SVR2K16.lab.local.ldaps: Flags [.], ack 2006, win 501, options [nop,nop,TS val4229491113 ecr 7713935], length 0
12:03:15.962264 IP FMC77.58158 > SVR2K16.lab.local.ldaps: Flags [P.], seq 320:425, ack 2006, win 501, options [nop,nop,TS val 4229491116 ecr 7713935], length 105

Summary

With the AD Realm configured the Realm can now be used for in policies for user control or authentication source for Remote Access VPN.

 

 

Tags: , , ,