Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Cisco PRSM Policy CX identity Objects

Good afternoon

I configured the Cisco Prime Security Manager (PRSM), and i have already tried the Web Filter, Application Control, IPS and Malware with IP addresses. Now I'm trying to add policies with CX Identity Objects, I have configured and tested the Directory Realm, it's working because I got self completed the fields when create CX Identity Objects. Also i have configured an Identity Policy in passive mode (if I skip these step the validation of the user doesn't work).

When I create the CX Identity Object I fill the fields in the Include section as follows:

  • Group with the corresponding group in my AD, left user field empty because I want to take all the users in the group and Identity objects has three options, Known Users which make reference to the users that are correctly identified, Unknown Users the opposite of known users, and empty in which case i guess it validate any user independently of his identity.

So I have three cases to create the CX Identity Object, Group corresponding to the AD group, user empty to take all the user in the group and the only field that changes is the Identity Object.

  1. When I select Known Users, all users match the first policy because all users are authenticated.
  2. When I select Unknow Users, any of my users match the corresponding policy and go to the Implicit Allow because they are authenticated.
  3. When I left the field empty all users match directly the Implict Allow.

So I want to know if I'm making something wrong or I'm missing something.

Please let me know if need something to help me with my problem, thanks a lot.

Everyone's tags (3)
Community Member

I don't get it what exactly

I don't get it what exactly are you intended to do. If you want, write the problem in Spanish.



Known and Unknown users are

Known and Unknown users are special groups and they do not refer to AD authenticated users. You will need to create your own CX group and add your AD groups into that if you want a single group with "Authenticated" users and "Un-Authenticated Users"

Hope it helps.

CreatePlease to create content