topic Thanks Kaisero, I need to in Network Security

Cisco ASA With Firepower Services integration with Active Directry Issue

cpradoscarvajal — Tue, 12 Mar 2019 09:08:52 GMT

Greetings,

We are having the following problem with our implementation of the Cisco Firepower integration with Active Directory and need Cisco’s help for this issue.

Our customer is based in LATAM and using an Active Directory (AD) that is in Spanish. The Firepower is not able to integrate with the AD because of the BUG CSCuv61861. The TAC’s first suggestion was to follow the Bug workaround of changing the AD to English, which is not viable for the end customer.

I going to start by quoting the Cisco’s TAC conclusion:

“It appears that you are being impacted by bug CSCuv61861. In a nutshell, the issue is that the AD User Agent does not support languages other than English. That is something that development is working on, but might take some time to resolve. For now, my recommendation is that you forward tracking number "CSCuv61861" to your Sales person who should be able to solicit the latest updates on the matter from the Cisco Business Unit”

Our problem is that the TAC wants to close the case without giving a solution to the end customer when in reality this case should be raised to a development team in order to fix the Bug. According to the TAC, some development team is working this case, but the case should be kept open and escalated so that the End Customer can be sure that Cisco is working on it and not just trusting on the TAC’s word.

We have tried to escalate the case commercially but not even our account manager receives an update internally from Cisco.

The delicate situation here is that one of the most important reasons for the customer to migrate their ULR filtering and application control to Cisco firewpower is the integration with the AD, and in Latin America, probably most of the ADs are in Spanish. What can we tell our future customers now about this solution when it is not able to integrate with their AD.

I need Cisco’s help in order to escalate this case and not closing it as the TAC’s wants. Is it possible to have some orientation from Cisco in this forum?

Thanks a lot in advanced

I understand your frustration

Oliver Kaiser — Wed, 29 Mar 2017 20:43:02 GMT

I understand your frustration but I dont think this issue will be resolved any time soon. This feature limitation is very old and still not fixed. I would recommend contacting your cisco account manager once again and tell him that this is very important to you and is basically a deal breaker for your customer(s). Normally there shouldn't be any issue to get an update from the BU on issues like that, if you don't receive any information I would think that the problem is you first point of contact.

As for a possible workaround I would suggest using ISE with PassiveID. You can gather identity information with ISE and forward it via pxGRID to Firepower Management Center. ISE will directly join the AD and read the security log via WMI to receive the ip:user mappings. If deploying an additional VM for identity integration is an option this would be the way to go.

Let me know if that helps or if you need any additional information.

Hi Kaisero,

cpradoscarvajal — Thu, 06 Apr 2017 16:54:20 GMT

Hi Kaisero,

Thanks for your respond.

Is unfortunate that Cisco is not taking care of this issue. I work in LATAM and there are many customers specially medium customers that need this solution, but selling another box is just too expensive for them.

In my opinion there is great potential in this product, but the language limitation creates a problem when selling the solution.

Regards

Christian Prados

Thanks a lot Christian for

Mon, 29 May 2017 15:28:32 GMT

Thanks a lot Christian for the detailed contribution, did you get any solution?

This is a critical issue, only english supported is unacceptable. Me and other partners had the same issue about a year ago in Portuguese.

Can't believe we still have this problem around, of course it IS a deal breaker. And a suitable treatment in problems like this one may be the reason some players are getting security market chunk while others are losing. And I believe this is one of Cisco's main security projects (correct me if I am wrong).

The "solution" => Change Active Directory's Language - I'd rather not comment.

And I got no hope in my case with same issue from Cisco Partner Helpline as well..

it seems like ISE-PIC will be

Oliver Kaiser — Wed, 31 May 2017 09:32:10 GMT

it seems like ISE-PIC will be the way forward. The agent hasnt been updated in ages and I dont think the language requirements will be changed (atleast I am not aware of it).

This is a bad, in my world

Mon, 05 Jun 2017 14:05:28 GMT

This is a bad, in my world It's never too late to evolve for those who wants it.

So we sell a NGFW / UTM solution that cannot integrate with users database. Or, the customer has to buy another solution to make it work.

So what is the SKU for

Mon, 05 Jun 2017 14:08:02 GMT

So what is the SKU for ordering ISE-PIC? People are having a hard time finding it as you can see here:

https://communities.cisco.com/thread/79188?start=0&tstart=0

Thanks Kaisero, I need to

Mon, 05 Jun 2017 14:26:49 GMT

Thanks Kaisero,

I need to find an additional information to show to my customers, maybe you can help:
- Where do I find, in public documentation, that ASA with FirePOWER is only a NGFW/UTM IF you have Active Directory in English or IF you buy Cisco additional softwares?

IMO they should add support

Oliver Kaiser — Mon, 05 Jun 2017 14:47:57 GMT

IMO they should add support for other lanugages but then again I think every windows server should be installed in english due to other issues as well... If you are looking for the SKU its R-ISE-PIC-VM-K9= with ~ 1360$ list price.

Hi Paulo, unfortunately

cpradoscarvajal — Thu, 15 Jun 2017 17:21:03 GMT

Hi Paulo, unfortunately according to the TAC we will have to wait. There is no news about an upgrade for the agent that integrates with the AD in other languages other than english.

I tried speaking with the representative in Venezuela and there is no much knowledge about this issue. Their only suggestion is to follow the TAC advise.

I still have a case open for this with the TAC (95573352), but the TAC is not able to do anything else.

After doing some research of the solution, I found out that this problem comes from when the solution was only sourcefire, and they only worked with english and japanese by that time.

We tried to do active authentication, but the problem is that active authentication has limitations.

In Venezuela only few customers have the Active Directory in english. The thing is that many customer need to migrate to the new Firepower not only to replace an old ASA but also to replace URL filtering solutions like Microsoft TMG that are EOL. We might lost lots of opportunities.

Now I know that we are not facing this issue alone.

Regards

Christian

Thanks for your feedback, it

Thu, 15 Jun 2017 17:40:56 GMT

Thanks for your feedback, it's really sad the way that Cisco is conducting this issue.

I've contacted local Cisco AMs and other roles related to the customer facing the problem, nobody even voted this issue up.

It makes me feel seriously worried.