topic Re: Firepower - Allow based on AD Computer Object in Network Security

Firepower - Allow based on AD Computer Object

Scott_22 — Wed, 14 Oct 2020 16:31:53 GMT

If we are using pxGrid as our identity service, can we allow computers based on their computer object in AD? Ex. If we want to block an AD group of computers from accessing a resource?

Re: Firepower - Allow based on AD Computer Object

Rob Ingram — Wed, 14 Oct 2020 16:56:53 GMT

@Scott_22

You could, but the only way the FMC/FTD would have a computer binding would be if the computer has been authenticated and is at the login prompt without a user logged in, otherwise that binding is replaced with a user/ip binding.

HTH

Re: Firepower - Allow based on AD Computer Object

Scott_22 — Wed, 14 Oct 2020 17:32:55 GMT

Okay, so with that being said, there's not really a way to do this if a user is logged into the machine?

Re: Firepower - Allow based on AD Computer Object

Rob Ingram — Wed, 14 Oct 2020 17:36:39 GMT

Correct.

You'd need to block traffic based on the logged in user or group.

Re: Firepower - Allow based on AD Computer Object

Aref Alsouqi — Wed, 14 Oct 2020 17:54:30 GMT

Interestingly I had tried that a few weeks ago and could not make it working in any way. Although I could see the computer object in the ACP users tab and add it to the selected "users", the FMC could not treat it as a user, hence no traffic was matching. When I ran some identity debug, I kept seeing that object coming as unknown with all 9s. Then I thought it might have been caused by the $ sign appended to the computer name, I went to change that on the AD, but that did not help. Also, although I could see the computer name correctly in the active sessions page, but never showed up in the connections event. My conclusion on this is that FMC can't treat the computers as users due to the object class "computer" associated to them.