topic users not passing to firepower in Network Security

users not passing to firepower

systemtek — Tue, 12 Mar 2019 14:07:31 GMT

Hi All,

We are using Configure Cisco Firepower User Agent for Active Directory installed on a domain controller, both sections are green which seems to indicate it should pass the details back to the firepower.

I have some rules on the firepower and I have added some users to the rules (it find the users) but as soon as I do this they cant access the specified content. The rule works if I remove the users.

When looking in the logs, there is no reference to the username at all.

As the initial client request contains only the IP I believe that the firepower should then lookup that IP and match the username via the agent on the domain controller. Is there anyway I can test this ?

Thanks

Re: users not passing to firepower

Abheesh Kumar — Tue, 27 Nov 2018 10:48:10 GMT

Hi,
Create a test rule with the user you want to allow or block as first rule in ACP and try if its working as per the AD-Username. Before testing logoff the machine and login again to get the correct IP details.

HTH
Abheesh

Re: users not passing to firepower

systemtek — Tue, 27 Nov 2018 11:06:49 GMT

Thanks for the reply, essentially that is what I have done. I have the correct IP in the logs, but no usernames appear in the logs. It just shows as BLOCK in logs but no username details as soon as I remove the username from the rule, it works.

Thanks

Re: users not passing to firepower

Abheesh Kumar — Tue, 27 Nov 2018 11:08:29 GMT

click the TABLE VIEW of CONNECTION EVENTS to see the detailed view.

HTH
Abheesh

Re: users not passing to firepower

systemtek — Tue, 27 Nov 2018 11:10:53 GMT

Hi,

Thanks, but "Initiator User" shows as "Unknown"

Thanks

Re: users not passing to firepower

Abheesh Kumar — Tue, 27 Nov 2018 11:12:26 GMT

which version you are running and can you share a screenshot.

Re: users not passing to firepower

Abheesh Kumar — Tue, 27 Nov 2018 11:25:27 GMT

Hi,
Are you created an identity policy with passive authentication and bind to ACP right..?
For the user details Check Analysis > Users > User Activity.

HTH
Abheesh

Re: users not passing to firepower

systemtek — Tue, 27 Nov 2018 11:37:35 GMT

I already checked in Analysis > Users > User Activity and this does not show my test users activity.

Attached image from logs.

Thanks

Re: users not passing to firepower

Abheesh Kumar — Tue, 27 Nov 2018 11:41:50 GMT

Almost same issue reported by other user, please have a look.
https://community.cisco.com/t5/firepower/fmc-6-2-2-unknown-users/m-p/3353429/highlight/true#M1322

HTH
Abheesh

Re: users not passing to firepower

systemtek — Tue, 27 Nov 2018 12:04:14 GMT

Thanks for that link Abheesh Kumar I will need to spend some time today and tomorrow looking at that, I have found a few other similar posts so will take a look and see what is found. In the mean time if anyone has any other suggestions please let me know.