topic Re: FMC 6.2.2 - Unknown Users in Network Security

FMC 6.2.2 - Unknown Users

Ryan Curry — Fri, 21 Feb 2020 15:12:25 GMT

Alright experts, I need some assistance because this isn't making a lick of sense. I have a customer running FMC 6.2.2 and AD User Agent 2.3 that is having an issue where a lot of their connection events are showing Unkown under Initiator User. Some users show their AD accounts but most do not. The site is not using a proxy server and from my understanding this was working previously before the AD admin changed the rights of the user that was configured for the AD User Agent. He configured the user according to this document:

https://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118637-configure-firesight-00.html

As it sits, I'm going to see if we can test with an AD domain admin account just to see if it produces the same result. I'm wondering if any of you have seen this behavior?

Re: FMC 6.2.2 - Unknown Users

Rahul Govindan — Wed, 24 Jan 2018 23:08:15 GMT

Do you see any activity under the Analysis > Users > User activity section of the FMC? If this broke after a permissions change, I would try to reset it back to what is was and see if this starts showing all the users back. I have had to go through the "Troubleshoot" section of the document to configure the right permissions for a non-admin User agent user.

Re: FMC 6.2.2 - Unknown Users

Philip D'Ath — Wed, 24 Jan 2018 23:15:13 GMT

Check out this trouble shooting guide.

https://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118159-troubleshoot-firesite-00.html

Re: FMC 6.2.2 - Unknown Users

Ryan Curry — Thu, 25 Jan 2018 14:14:57 GMT

Perfect, I'll check that out and see what I find. Thank you Philip!

Re: FMC 6.2.2 - Unknown Users

Ryan Curry — Thu, 25 Jan 2018 14:38:14 GMT

Yup, I'm getting a fair amount of users listed in there and most are discovered by passive authentication.

Re: FMC 6.2.2 - Unknown Users

Ryan Curry — Thu, 25 Jan 2018 18:54:42 GMT

So I did some more testing and can see one of the users I'm having the issue with log in. Yet, when we do a test that hits a policy that should allow him through based on his ID it fails. When I go to look at the event it still shows "unknown user" even though it shows his ID under Analysis>User>User Activity. It's almost like it's not correlating that Initiator User and the Initiator IP.

Re: FMC 6.2.2 - Unknown Users

nehmaan123 — Thu, 01 Feb 2018 08:38:43 GMT

Had exact same issue but in my lab, Everything was configured correctly but the design of my network through an ASA 5515-X wasn't correct.

There are also bugs associated with this issue which you can check on: tools.cisco.com/bugsearch

Also, Have a pending TAC case open regarding some users reported as unknown while others are not working. Will update soon!

Re: FMC 6.2.2 - Unknown Users

workforcesoftware — Tue, 13 Feb 2018 17:32:36 GMT

Correct me if I'm wrong, but it looks like you're just doing passive authentication. If that's the case, then you will see A LOT of unknown user activity. This is because the system will only identify users when it is able to passively ID them through the identity policy you've setup. Passive authentication through AD user agent has always been iffy for us, so we've never set internal policies based on user groups. I've been told and have seen demos of it working MUCH better with Cisco ISE and AnyConnect as 802.1x agent. It's also worth noting that you can have that User Agent on up to 5 domain servers, which could also help. I personally have only gotten the user-based control to work with the remote VPN users, since they're actively authenticated.

Re: FMC 6.2.2 - Unknown Users

Ryan Curry — Fri, 16 Feb 2018 14:59:26 GMT

So I was finally able to get a TAC engineer to work on the issue and after about 4 - 5 hours he was able to get the issue resolved I believe. I know there was a bunch of hocus pocus he was doing in the CLI, but we believe the gist of the issue is that we had a second authentication realm that was causing issues even though it was inactive. Once we removed that and gave it some time (about 24 hours) we were seeing the correct users versus either stale entries or Unknown.

I would suggest if experiencing this issue, check if there's an inactive realm and remove it and/or open a TAC case.

Re: FMC 6.2.2 - Unknown Users

Guido Arturo Catalano — Thu, 22 Mar 2018 18:20:32 GMT

I have the same problem on one of our clients and was solved by TAC.

I'm going to post how we can identify this problem, but the solution sould be aplied by TAC. They used scripts to directly modify records on snort DB.

If you can identify the problem, TAC can apply the scripts in a few minutes webex session.

Problem description:

"User activity" show all users

Only a few was matched by policy, as seen on events.

What he do, was to check user-ip map.

First, he created an script on manager and sensor, to see user-ip and user-group mappings.

FS:

==============================
|          Database          |
==============================

##) IP Address [Realm ID]
 1) ::ffff:10.x.x.x [2]
 2) ::ffff:10.y.y.y [2]
 3) ::ffff:10.z.z.z [2]


##) Group Name (ID) [realm: Realm Name (ID)]
 1) Domain Users (6) [realm: xxx.local (2)]
 2) Restringidos (25) [realm: xxx.local (2)]

SFR:

==============================
|          Database          |
==============================

No IP Addresses

##) Group Name (ID)
 1) Restringidos (25)
 2) Domain Users (6)

Then, and this can be done before calling TAC, he checked the file with ip-user mappings.

The file was 40k on FSight and only a few bytes on sensor.

I figured out how it works. Sensor donwnload full file each 5min and make incremental updates on a separate file. So it has two, full, which should be same size as the file on manager, and a smallone.

Expert mode command: ls -halt /var/sf/user_enforcement/

SFR, not working:

root@SFR2:/var/sf/user_enforcement# ls -halt
total 60K
-rw-r--r-- 1 root root 497 Mar 22 16:28 user_ip_map.1521735637
drwxr-xr-x 2 www www 4.0K Mar 22 16:21 .
-rw-r--r-- 1 root root 23K Mar 22 16:20 user_ip_map.snapshot.1521735637
-rw-r--r-- 1 root root 509 Mar 22 16:15 user_ip_map.1521734735
-rw-r--r-- 1 root root 20K Mar 22 16:02 user_ip_map.snapshot.1521734538
drwxr-xr-x 67 root root 4.0K Nov 29 2016 ..

Then, he created and run a second script, which clear the DB.

(I can't post the full script here)

After that, the file user_ip_map show almost the same size on SFR than FS (same command). And users become detected correctly.

Please rate if this info was helpfull

Guido

Re: FMC 6.2.2 - Unknown Users

Santimac — Thu, 15 Aug 2019 16:30:13 GMT

Hi, can any one help on how the configure the AD users to show under event connections?

Thanks

Re: FMC 6.2.2 - Unknown Users

ismail_salma1987 — Tue, 04 Aug 2020 01:32:19 GMT

Hi There,

I am also facing the same issue, can you please help me with the first and second scripts.

Regards,

Ismail Kalolwala