I configured the Cisco Prime Security Manager (PRSM), and i have already tried the Web Filter, Application Control, IPS and Malware with IP addresses. Now I'm trying to add policies with CX Identity Objects, I have configured and tested the Directory Realm, it's working because I got self completed the fields when create CX Identity Objects. Also i have configured an Identity Policy in passive mode (if I skip these step the validation of the user doesn't work).
When I create the CX Identity Object I fill the fields in the Include section as follows:
Group with the corresponding group in my AD, left user field empty because I want to take all the users in the group and Identity objects has three options, Known Users which make reference to the users that are correctly identified, Unknown Users the opposite of known users, and empty in which case i guess it validate any user independently of his identity.
So I have three cases to create the CX Identity Object, Group corresponding to the AD group, user empty to take all the user in the group and the only field that changes is the Identity Object.
When I select Known Users, all users match the first policy because all users are authenticated.
When I select Unknow Users, any of my users match the corresponding policy and go to the Implicit Allow because they are authenticated.
When I left the field empty all users match directly the Implict Allow.
So I want to know if I'm making something wrong or I'm missing something.
Please let me know if need something to help me with my problem, thanks a lot.
Known and Unknown users are special groups and they do not refer to AD authenticated users. You will need to create your own CX group and add your AD groups into that if you want a single group with "Authenticated" users and "Un-Authenticated Users"
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...