topic Re: Access Control Policy Blocking Sites targeting Active Directory Us in Network Security

Access Control Policy Blocking Sites targeting Active Directory Users

Herald Sison — Wed, 25 May 2022 05:18:53 GMT

Hi Everyone,

I got into this roadblock while implementing a blocking to specific websites like facebook, youtube and adult sites and i want to block only certain group of people by targeting their active directory users login.

i have already created Realms and imported users and groups from AD and it was running pretty smooth, even my RAVPN is getting authentication from it is running pretty well and i also created an Identity policy as the Access Control Policy requires me for it.

Now, i made a test block under ACP for any users any source and any destination with the specific urls and it worked well but when i tried to add specific users under USERS tab in my Policy all users can access the blocked URL's which is not what i expect i even added a single AD group or a single AD user it still can access those blocked url's,

I am using FTD7.0.1.1 and FMC 7.0.1.1 with ASA5508X

Here is a look on my ACP.

Re: Access Control Policy Blocking Sites targeting Active Directory Us

Marius Gunnerud — Wed, 25 May 2022 21:51:41 GMT

You need to check the connection logs and see how the users are matched. I suspect they are showing up as Unknown.

Re: Access Control Policy Blocking Sites targeting Active Directory Us

Herald Sison — Thu, 26 May 2022 02:11:01 GMT

Hi Sir, i think you are right it says unkown. how to fix this issue sir?

Re: Access Control Policy Blocking Sites targeting Active Directory Us

Marius Gunnerud — Fri, 27 May 2022 20:55:20 GMT

You might want to try to download the User Database manually. System > Integration > Realms and edit the realm go to User Download and then click Download Now. This should be configured to download automatically on a schedule but might be worth a try.

Also, you could have a look at the following link where the blogger has experience a similar issue.

https://finkotek.com/firepower-management-center-initiator-user-is-unknown/

Re: Access Control Policy Blocking Sites targeting Active Directory Us

Herald Sison — Sat, 28 May 2022 04:20:50 GMT

Thanks sir but in my case i am using FMC7.0.1.1 and i cannot find any download button.

and i read the blog and he mentioned about AD agent? i have not installed or configured any AD agent, where can i get that one? is that a software that needs to be installed in the AD? just like in sonicwall SSO AGENT?

also i found some blogs that when using an AD user agent you need to setup from System > INtegration > Identity Soures > User Agent (button) but in my FMC there is no button for User Agent.

see below:

Re: Access Control Policy Blocking Sites targeting Active Directory Us

Herald Sison — Fri, 03 Jun 2022 16:20:13 GMT

Anyone? Is there a solution for this?

Re: Access Control Policy Blocking Sites targeting Active Directory Us

Marius Gunnerud — Sat, 04 Jun 2022 12:06:58 GMT

What is the domain that the "Unknown" user is associated with? is it mydomain.local or domain1.mydomain.local.

Did you re-sync the user database. you can do this by clicking on Load Groups under Groups and User Sync tab you posted the screenshot of earlier.

Re: Access Control Policy Blocking Sites targeting Active Directory Us

Herald Sison — Mon, 06 Jun 2022 04:36:46 GMT

Hi Sir,

the primary active directory serve is TT-ADDS01.XYZ.local and the domain is XYZ.LOCAL.

i have synced the users a lot of times already

Re: Access Control Policy Blocking Sites targeting Active Directory Us

Herald Sison — Fri, 10 Jun 2022 07:14:03 GMT

Hi Sir,

update: i have installed and configured ISE-PIC virtual and integrated to AD and FMC but still the url blocking is still not working for active directory users.

please help!

Re: Access Control Policy Blocking Sites targeting Active Directory Us

Marius Gunnerud — Sun, 12 Jun 2022 18:54:09 GMT

I am assuming the the users you are trying to block with this rule are in one of the two user groups you have defined in the rule?

Re: Access Control Policy Blocking Sites targeting Active Directory Us

Herald Sison — Mon, 13 Jun 2022 02:18:46 GMT

yes its part of one of the groups. i even tried to test block 1 user but still blocking is not working.

one more thing i bumped in to his bug just today. does this bug preventing the blocking to work correctly?

Re: Access Control Policy Blocking Sites targeting Active Directory Us

Marius Gunnerud — Mon, 13 Jun 2022 03:57:31 GMT

Are you able to try to specify a specific user instead of the group? does the rule work then?

The error is very generic but doesn't necessarily mean that it is a bug

Re: Access Control Policy Blocking Sites targeting Active Directory Us

Herald Sison — Tue, 14 Jun 2022 08:26:29 GMT

i tried adding single user but still the url blocking does not work. i even tried adding multiple individual users but still does not work. the only option that works for me is to block per ip address but in our current office setup this is not a doable option since most of the people from the production, they constantly changes cubicle positions and use different computers daily.

and 1 more thing, by looking at the connection events i see a lot of "Not Found" for Initiator User.

Re: Access Control Policy Blocking Sites targeting Active Directory Us

Marius Gunnerud — Thu, 16 Jun 2022 04:59:08 GMT

I suspect the issue is that you are using passive authentication, and the FTD is having issues authenticating the user with this method. If you use active authentication with captive portal are you able to match the access rule?

Refer to this link if you want to continue to use passive authentication:

https://www.cisco.com/c/en/us/td/docs/security/firepower/70/configuration/guide/fpmc-config-guide-v70/control_users_with_ts_agent.html

Re: Access Control Policy Blocking Sites targeting Active Directory Us

Herald Sison — Thu, 16 Jun 2022 16:45:59 GMT

does that mean the ISE-PIC is not useful anymore? i have tried enablind active authenticatio in my identity policy but some mobile devices gets a "no internet notifications" from their network adapter but still they can connect to the internet and if a blocked site was hit it will redirect to the firewalls inside interface https page.

Re: Access Control Policy Blocking Sites targeting Active Directory Us

Marius Gunnerud — Sun, 19 Jun 2022 22:12:19 GMT

You need to decide how you want to authenticate your users, if that is via ISE-PIC or directly with the AD. This is a design choice you need to make and based on that choice you will know if you need the ISE in the network.

As for traffic not hitting your rule, which are you using to authenticate users now? AD or ISE?

Re: Access Control Policy Blocking Sites targeting Active Directory Us

Herald Sison — Mon, 20 Jun 2022 03:47:54 GMT

in the documentation and even in the youtube tutorials, setting up ISE-PIC needs AD realms so i think both AD and ISE-PIC works together.

i also read some exchange conversation online that we need to run this command (user_map_query.pl -i 172.20.7.100) on both FMC and FTD to check if mapping is present. Upon running the command it shows that FMC is mapping the user correctly but not on the FTD and the possible workaround is syncing the database from FMC to FTD and requires a snort restart.

the problem is i dont know what is the command to do this workaround and is it safe to do this?

see results below:

in FMC:

WARNING: This script was not tested on this major version (7.0.1)! The results may be unexpected.

Current Time: 06/16/2022 06:19:51 UTC

Getting information on IP Address(es)...

___

IP #1: 172.20.7.100

---

==============================

| Database |

==============================

##) Username (ID)

1) hsison (1294)

for_policy: 1

Last Seen: Unknown

in FTD:

WARNING: This script was not tested on this major version (7.0.1)! The results may be unexpected.

Current Time: 06/16/2022 06:23:18 UTC

Getting information on IP Address(es)...

ERROR: Unable to find IP address '172.20.7.100' in the database!

Re: Access Control Policy Blocking Sites targeting Active Directory Us

Marius Gunnerud — Tue, 21 Jun 2022 20:11:08 GMT

I think you have misunderstood the setup. You integrate AD with ISE and then use ISE as and identity source in FMC.

With regard to mapping the users on the FTD that requires SNORT restart. Any time the SNORT process restarts there will be network outage until the process is back online. So this should be done in a planned service window

Re: Access Control Policy Blocking Sites targeting Active Directory Us

Herald Sison — Wed, 22 Jun 2022 14:51:55 GMT

Hi sir, you are right.

May i know how to map users in FTD? Is there a command or documentation for that? I can perform that during the weekend since that is the only time i can perform reboots.

Re: Access Control Policy Blocking Sites targeting Active Directory Us

Marius Gunnerud — Sun, 26 Jun 2022 21:15:16 GMT

Here is a document on integrating FMC with ISE

https://www.cisco.com/c/en/us/products/collateral/security/firepower-ngfw/guide-c07-742017.html

for other documents on FMC integrations you can go to the following link.

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/216120-ise-security-ecosystem-integration-guide.html#anc34