topic Re: Discovery Users within Firepower in Network Security

Discovery Users within Firepower

Scott_22 — Fri, 29 May 2020 15:54:46 GMT

I'm am attempting to discover users within our infrastructure through a network discovery policy, but the FMC doesn't seem to discover anyone. I have a network discovery policy configured to detect users, hosts, and applications. Do I also need an identity policy mapped to a realm? Can the users be discovered via pxGrid with ISE?

Re: Discovery Users within Firepower

ShineSudheesh — Fri, 29 May 2020 17:34:05 GMT

Dear Scott,

For getting the user details on Cisco FMC , you need to integrate your FMC with AD.

Please follow the below steps

++Configure user discovery on your network discovery policy for RFC1918

++Integrate FMC with AD using realm

++Download the user details from AD to FMC under Realm user download section

++Configure identity policy with passive authentication.

once this is successful, you should be able to see the user group details on ACP rule on user tab.

For user to IP mapping , you can use useragent. Please note user agent support is only till 6.6.

For user-agent integration, you can refer the below link.

https://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/200329-Configure-Active-Directory-Integration-w.html

Please rate if this is helpful to you.

Regards

Shine Sudheesh

Re: Discovery Users within Firepower

Scott_22 — Fri, 29 May 2020 19:05:36 GMT

Does the identity policy need to be configured on an ACP as well?

Re: Discovery Users within Firepower

Maykol Rojas — Fri, 29 May 2020 20:05:27 GMT

No really, you do the AD integration, and then on the ACP what you do is to pull the users/groups to build your Policy.

Re: Discovery Users within Firepower

sreejith_r — Fri, 29 May 2020 20:11:15 GMT

Yes .You need to associate the identity policy with an access control policy to allow or block selected users from accessing specified resources.

Re: Discovery Users within Firepower

Scott_22 — Sun, 31 May 2020 21:04:47 GMT

My questions is solely focused on network discovery. To discover users, does the Identity policy need to be applied anywhere? I know the realm obviously needs to be applied to the Identity Policy, but want to confirm that is all that is needed. End goal is to view users and their account names within analysis.

Re: Discovery Users within Firepower

Marvin Rhoads — Mon, 01 Jun 2020 03:46:23 GMT

Passive user discovery will only tell you a small part of the story that can be gleaned from observing information transiting the device in clear text.

For best results use ISE via pxGrid. Of course that assumes users are being required to authenticate via network access control that ISE is enforcing and that ISE is linked to your identity source (typically AD).

Re: Discovery Users within Firepower

Scott_22 — Mon, 01 Jun 2020 13:16:39 GMT

Assuming users are authenticating via ISE and pxGrid is configured, what are the steps to discover users? If pxGrid is configured are users automatically synced with the FMC?

Re: Discovery Users within Firepower

Marvin Rhoads — Mon, 01 Jun 2020 14:21:59 GMT

The FMC is a subscriber to the session information coming from ISE via pxGrid. So - yes, the synchronization happens automatically for users' ISE authentication info (username and IP address) to be communicated to FMC

Re: Discovery Users within Firepower

Scott_22 — Mon, 01 Jun 2020 14:49:55 GMT

Okay, so an ACE is not needed in the ACP to simply discover information about a users session? Based on this document, it mentions the following:

"The FMC may download all the users and IP address bindings to its heart’s content, but none of the data that is downloaded will be used in the policy until there is a realm configured to determine which groups and users to use in the firewall policies.....The realm is now fully configured for rule creation, along with the pxGrid integration for learning what IP addresses belong to which users and devices. Now you are ready to add identity information to the access policy rules in the FMC."

So the 2nd step of adding the identity policy to an ACP is not required for discovery only?

https://www.ciscopress.com/articles/article.asp?p=2963461&seqNum=2