https://community.cisco.com/t5/network-security/firepower-active-authentication-unable-to-make-it-work/m-p/2877014#M1031026 <P>I tried with Access Policy in FP . It is same behavior. for some reason it is dropping the packet .</P> <P></P> <P></P> Fri, 22 Apr 2016 15:29:36 GMT gncomms01 2016-04-22T15:29:36Z https://community.cisco.com/t5/network-security/firepower-active-authentication-unable-to-make-it-work/m-p/2877011#M1031023 <P>I am trying to setup the Active and Passive Authentication with Firepower version 6 ( ASA 5585-SSP-60 )</P> <P></P> <P>I installed the fire power user agent and setup realm in integration.&nbsp; Passive Authentication works. I am seeing two problems,</P> <P></P> <P>1) if user is not in active directory , than trying to use Active Authentication . but on the firewall logs keep getting the packet drops,&nbsp; not getting the authentication window.&nbsp; Captive-portal is setup on the firewall. Any ideas</P> <P></P> <P>%ASA-4-434002: SFR requested to drop TCP packet from vlan80:10.255.111.10/53061 to identity:10.255.111.253/885</P> <P></P> <P>2) Passive Authentication , notice that if login with local user account ( not the domain account ) firepower don't identify the user as guest/unknown . Will keep allow the traffic with last known domain user id from&nbsp;that computer. Is this normal behaviour ?</P> <P></P> <P></P> <P></P> Tue, 12 Mar 2019 12:59:04 GMT https://community.cisco.com/t5/network-security/firepower-active-authentication-unable-to-make-it-work/m-p/2877011#M1031023 CSCO12002221 2019-03-12T12:59:04Z https://community.cisco.com/t5/network-security/firepower-active-authentication-unable-to-make-it-work/m-p/2877012#M1031024 <P>Hi,</P> <P></P> <P>For the second one it is expected because the user entry is still there . The default timeout is 1440 minutes , if you want you can change that&nbsp; under System &gt; Integration &gt;Realm configuration.</P> <P></P> <P>For the first one I am really not quite sure but ideally it should at least prompt for the authentication window. You might need to open up a TAC case so that further analysis can be done in this.</P> <P></P> <P>Regards,</P> <P>Aastha Bhardwaj</P> <P>Rate if that helps!!!</P> <P></P> <P></P> <P></P> Thu, 21 Apr 2016 13:18:26 GMT https://community.cisco.com/t5/network-security/firepower-active-authentication-unable-to-make-it-work/m-p/2877012#M1031024 Aastha Bhardwaj 2016-04-21T13:18:26Z https://community.cisco.com/t5/network-security/firepower-active-authentication-unable-to-make-it-work/m-p/2877013#M1031025 <P>In the access policy on the FP, do you allow traffic to 10.255.111.253/885 ?</P> <P>/Per</P> <P></P> <P></P> Fri, 22 Apr 2016 08:37:59 GMT https://community.cisco.com/t5/network-security/firepower-active-authentication-unable-to-make-it-work/m-p/2877013#M1031025 Per Tenggren 2016-04-22T08:37:59Z https://community.cisco.com/t5/network-security/firepower-active-authentication-unable-to-make-it-work/m-p/2877014#M1031026 <P>I tried with Access Policy in FP . It is same behavior. for some reason it is dropping the packet .</P> <P></P> <P></P> Fri, 22 Apr 2016 15:29:36 GMT https://community.cisco.com/t5/network-security/firepower-active-authentication-unable-to-make-it-work/m-p/2877014#M1031026 gncomms01 2016-04-22T15:29:36Z https://community.cisco.com/t5/network-security/firepower-active-authentication-unable-to-make-it-work/m-p/2877015#M1031027 <P>Thanks Aastha. I tried changing the timeout in realm configuration but this effects the Active Directory Users also. I reduce the time to 30 mins or 10 mins and notice that it is keep logging off Active directory user and shows them as unknown . </P> <P></P> <P></P> Fri, 22 Apr 2016 15:31:47 GMT https://community.cisco.com/t5/network-security/firepower-active-authentication-unable-to-make-it-work/m-p/2877015#M1031027 gncomms01 2016-04-22T15:31:47Z