https://community.cisco.com/t5/network-security/user-monitoring-with-ad-on-firepower/m-p/4665700#M1092486 <P>That is what I thought but having an issue when joining FP to ISE keeps erroring / rejecting the cert for some reason. Will give it another attempt today.</P><P>Thank&nbsp;</P> Mon, 08 Aug 2022 12:51:44 GMT 00u18jg7x27DHjRMh5d7 2022-08-08T12:51:44Z https://community.cisco.com/t5/network-security/user-monitoring-with-ad-on-firepower/m-p/4638646#M1091260 <P>I have been attempting to set up user monitoring on our Cisco Firepower device so we can see usernames instead of IP addresses under monitoring. It works with the VPN connection but not for internal traffic. What could I be overlooking or does this require additional features? It seems straight forward I added an Identity rule Active Auth with NTLM type, placed a user available on an inside to outside rule both facing the Windows AD server that allows connections to VPN.</P><P>Thanks &nbsp;&nbsp;</P> Fri, 24 Jun 2022 20:00:30 GMT https://community.cisco.com/t5/network-security/user-monitoring-with-ad-on-firepower/m-p/4638646#M1091260 00u18jg7x27DHjRMh5d7 2022-06-24T20:00:30Z https://community.cisco.com/t5/network-security/user-monitoring-with-ad-on-firepower/m-p/4638648#M1091261 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1236841">@00u18jg7x27DHjRMh5d7</a> sounds like you intend to do active authentication using a captive portal? Have you've created a Realm, identity policy and referenced the identity policy in the Access Control Policy?</P> Fri, 24 Jun 2022 20:10:19 GMT https://community.cisco.com/t5/network-security/user-monitoring-with-ad-on-firepower/m-p/4638648#M1091261 Rob Ingram 2022-06-24T20:10:19Z https://community.cisco.com/t5/network-security/user-monitoring-with-ad-on-firepower/m-p/4638651#M1091262 <P>I have created the ID Realm it is how VPN users confirm ID when logging in. Maybe I am referencing it incorrectly but in ACL I selected under the Users Tab the server, logging beginning and end of connection.&nbsp;</P> Fri, 24 Jun 2022 20:23:43 GMT https://community.cisco.com/t5/network-security/user-monitoring-with-ad-on-firepower/m-p/4638651#M1091262 00u18jg7x27DHjRMh5d7 2022-06-24T20:23:43Z https://community.cisco.com/t5/network-security/user-monitoring-with-ad-on-firepower/m-p/4638661#M1091264 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1236841">@00u18jg7x27DHjRMh5d7</a> here is the guide <A href="https://www.cisco.com/c/en/us/td/docs/security/firepower/660/configuration/guide/fpmc-config-guide-v66/control_users_with_captive_portal.html" target="_blank">https://www.cisco.com/c/en/us/td/docs/security/firepower/660/configuration/guide/fpmc-config-guide-v66/control_users_with_captive_portal.html</A> that has all the steps to configure.</P> <P>&nbsp;</P> <P>Do you have ISE or ISE-PIC, this uses passive authentication and more transparent and would not require the user to actively authenticate.</P> <P>&nbsp;</P> Fri, 24 Jun 2022 20:37:45 GMT https://community.cisco.com/t5/network-security/user-monitoring-with-ad-on-firepower/m-p/4638661#M1091264 Rob Ingram 2022-06-24T20:37:45Z https://community.cisco.com/t5/network-security/user-monitoring-with-ad-on-firepower/m-p/4638667#M1091265 <P>I unfortunately do not have ISE for the time being.&nbsp;</P> Fri, 24 Jun 2022 20:48:50 GMT https://community.cisco.com/t5/network-security/user-monitoring-with-ad-on-firepower/m-p/4638667#M1091265 00u18jg7x27DHjRMh5d7 2022-06-24T20:48:50Z https://community.cisco.com/t5/network-security/user-monitoring-with-ad-on-firepower/m-p/4664581#M1092459 <P>Rob,</P><P>&nbsp;So I am trying to set up ISE with our firepower but having problems with joining the Firepower device. We keep encountering certificate errors. Does it matter if the cert comes from ISE or FTD device? Also is FMC required to join ISE?</P><P>I already have ISE joined to the AD just trying to join the FTD now so we can test.&nbsp;</P><P>&nbsp;</P><P>Thanks</P> Fri, 05 Aug 2022 19:27:55 GMT https://community.cisco.com/t5/network-security/user-monitoring-with-ad-on-firepower/m-p/4664581#M1092459 00u18jg7x27DHjRMh5d7 2022-08-05T19:27:55Z https://community.cisco.com/t5/network-security/user-monitoring-with-ad-on-firepower/m-p/4664755#M1092466 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1236841">@00u18jg7x27DHjRMh5d7</a> no it doesn't matter where the certificates come from, as long as both ISE and FMC trust the certificates. Commonly you would use either ISE CA to sign the pxGrid certificiates or an internal CA (Windows) - <A href="https://integratingit.wordpress.com/2018/08/25/cisco-ise-pxgrid-integration-with-firepower/" target="_self">example here</A></P> Sat, 06 Aug 2022 06:59:32 GMT https://community.cisco.com/t5/network-security/user-monitoring-with-ad-on-firepower/m-p/4664755#M1092466 Rob Ingram 2022-08-06T06:59:32Z https://community.cisco.com/t5/network-security/user-monitoring-with-ad-on-firepower/m-p/4665700#M1092486 <P>That is what I thought but having an issue when joining FP to ISE keeps erroring / rejecting the cert for some reason. Will give it another attempt today.</P><P>Thank&nbsp;</P> Mon, 08 Aug 2022 12:51:44 GMT https://community.cisco.com/t5/network-security/user-monitoring-with-ad-on-firepower/m-p/4665700#M1092486 00u18jg7x27DHjRMh5d7 2022-08-08T12:51:44Z