You can not do that. FirePOWER would only be able to learn about the last user who logged into the terminal server and implement the policy accordingly. As of now we don't support it. I have filed an enhancement request to add a different approach to it CSCuw60492.
Are there any information to fix this in future or to get this enhancement? Does anybody have access to the roadmap?
If we have more than one user the per user permissions are obsolete.
Any ideas for a workaround?
For now we don't support it and there is no roadmap for this feature. You can get in touch with your Cisco Accounts team and they can get in touch with BU to discuss the roadmap for this feature.
thanks for this information. I will contact my Cisco accounts.
There is a new feature in 6.0.1 called "Captive Portal and Active Authentication"
In order to provide better visibility in mapping users to IP addresses and their associated network events, the Captive Portal and Active Authentication feature can be configured to require users to enter their credentials when prompted through a browser window. The mapping also allows policies to be based on a user or group of users. This feature supplements the existing Sourcefire User Agent (SUA) integration with Active Directory to address non-Windows environments, BYOD users, and guests.
I think this could be a way to get the user information even if they connected to a terminal server. The user have to authenticate each session, this is not convenient but it works.
What do you think?
Seems to be available in 6.1.0.
Note: The TS Agent feature (VDI Identity Support) is available in a limited availability program adjacent to Version 6.1.