About Realms
Realms are connections between the Firepower Management Center and the user accounts on the servers you monitor. They specify the connection settings and authentication filter settings for the server. Realms can:
-
Specify the users and user groups whose activity you want to monitor.
-
Query the user repository for user metadata on authoritative users, as well as some non-authoritative users: POP3 and IMAP users detected by traffic-based detection and users detected by traffic-based detection, a user agent, a TS Agent, or ISE/ISE-PIC.
You can add multiple domain controllers as directories in a realm, but they must share the same basic realm information. The directories in a realm must be exclusively LDAP or exclusively Active Directory (AD) servers. After you enable a realm, your saved changes take effect next time the Firepower Management Center queries the server.
To perform user awareness, you must configure a realm for any of the supported server types. The system uses these connections to query the servers for data associated with POP3 and IMAP users, and to collect data about LDAP users discovered through traffic-based detection.
The system uses the email addresses in POP3 and IMAP logins to correlate with LDAP users on an Active Directory, or OpenLDAP. For example, if a managed device detects a POP3 login for a user with the same email address as an LDAP user, the system associates the LDAP user’s metadata with that user.
To perform user control, you can configure any of the following:
-
A realm for an AD server or for either the user agent or ISE/ISE-PIC
Note
Configuring a realm is optional if you plan to configure SGT ISE attribute conditions but not user, group, realm, Endpoint Location, or Endpoint Profile conditions.
-
A realm for an AD server for the TS Agent
-
For captive portal, an LDAP realm.
A realm sequence is not supported for LDAP.
About User Download
You can configure a realm to establish a connection between the Firepower Management Center and an LDAP or AD server to retrieve user and user group metadata for certain detected users:
-
LDAP and AD users authenticated by captive portal or reported by ISE/ISE-PIC or a user agent. This metadata can be used for user awareness and user control.
-
POP3 and IMAP user logins detected by traffic-based detection, if those users have the same email address as an LDAP or AD user. This metadata can be used for user awareness.
You configure LDAP server or Active Directory domain controller connections as a directory in a realm. You must check Download users and user groups for access control to download a realm's user and user group data for user awareness and user control.
The Firepower Management Center obtains the following information and metadata about each user:
-
LDAP user name
-
First and last names
-
Email address
-
Department
-
Telephone number
About User Activity Data
User activity data is stored in the user activity database and user identity data is stored in the users database. The maximum number of users you can store and use in access control depends on your Firepower Management Center model. When choosing which users and groups to include, make sure the total number of users is less than your model limit. If your access control parameters are too broad, the Firepower Management Center obtains information on as many users as it can and reports the number of users it failed to retrieve in the Tasks tab page of the Message Center.
Note |
If you remove a user that has been detected by the system from your user repository, the Firepower Management Center does not remove that user from its users database; you must manually delete it. However, your LDAP changes are reflected in access control rules when the Firepower Management Center next updates its list of authoritative users. |
Realms and Trusted Domains
When you configure a realm in the Firepower Management Center, it is associated with an Active Directory or LDAP domain.
A grouping of Microsoft Active Directory (AD) domains that trust each other is commonly referred to as a forest. This trust relationship can enable domains to access each other's resources in different ways. For example, a user account defined in domain A can be marked as a member of a group defined in domain B.
The Firepower System and trusted domains
The Firepower System does not support trusted AD domains. This means that the Firepower System does not track which configured domains trust each other, and does not know which domains are parent or child domains of each other. The Firepower System also has not been tested to assure support for environments that use cross-domain trust, even when the trust relationship is exercised outside of the Firepower System.
Supported Servers for Realms
You can configure realms to connect to the following types of servers, providing they have TCP/IP access from the Firepower Management Center:
Server Type |
Supported for User Agent data retrieval? |
Supported for ISE/ISE-PIC data retrieval? |
Supported for TS Agent data retrieval? |
Supported for captive portal data retrieval? |
---|---|---|---|---|
Microsoft Active Directory on Windows Server 2012, 2016, and 2019 |
No User agent supported on Windows Server 2008 and 2012 only |
Yes |
Yes |
Yes |
OpenLDAP on Linux |
No |
No |
No |
Yes |
Note |
If the TS Agent is installed on a Microsoft Active Directory Windows Server shared with another passive authentication identity source (the User Agent or ISE/ISE-PIC), the Firepower Management Center prioritizes the TS Agent data. If the TS Agent and a passive identity source report activity by the same IP address, only the TS Agent data is logged to the Firepower Management Center. |
Note the following about your server group configurations:
-
To perform user control on user groups or on users in groups, you must configure user groups on the LDAP or Active Directory server.
-
Group names cannot start with S- because it is used internally by LDAP.
Neither group names or nor organizational unit names can contain special characters like asterisk (
*
), equals (=
), or backslash (\
); otherwise, users in those groups or organizational units are not downloaded and are not available for identity policies. - To configure an Active Directory realm that includes or
excludes users who are members of a sub-group on your server, note that
Microsoft recommends that Active Directory has no more than 5000 users per group
in Windows Server 2012. For
more information, see Active Directory Maximum Limits—Scalability on MSDN.
If necessary, you can modify your Active Directory server configuration to increase this default limit and accommodate more users.
-
To uniquely identify the users reported by a server in your Remote Desktop Services environment, you must configure the Cisco Terminal Services (TS) Agent. When installed and configured, the TS Agent assigns unique ports to individual users so the Firepower System can uniquely identify those users. (Microsoft changed the name Terminal Services to Remote Desktop Services.)
For more information about the TS Agent, see the Cisco Terminal Services (TS) Agent Guide.
Supported Server Object Class and Attribute Names
The servers in your realms must use the attribute names listed in the following table for the Firepower Management Center to retrieve user metadata from the servers. If the attribute names are incorrect on your server, the Firepower Management Center cannot populate its database with the information in that attribute.
Metadata |
FMC Attribute |
LDAP ObjectClass |
Active Directory Attribute |
OpenLDAP Attribute |
---|---|---|---|---|
LDAP user name |
Username |
|
samaccountname |
cn uid |
first name |
First Name |
givenname |
givenname |
|
last name |
Last Name |
sn |
sn |
|
email address |
|
userprincipalname (if mail has no value) |
|
|
department |
Department |
department distinguishedname (if department has no value) |
ou |
|
telephone number |
Phone |
telephonenumber |
telephonenumber |
Note |
The LDAP ObjectClass for groups is group, groupOfNames, (group-of-names for Active Directory) or groupOfUniqueNames. |
For more information about ObjectClasses and attributes, see the following references: