Thanks Marvin Rhoads,

I see...

so if I want to deploy a POC environment and need show LDAP user information on dashboard,

then I must install SFUA on AD server?   

SFUA must be installed on a machine in your environment. It doesn't need to be on the Domain controller itself but it will use a username with credentials that can query the DC's Security Logs for logon / logoff events etc. 

It uses WMI and there are detailed instructions in the SFUA User Guide. Regarding the privileges needed by the SFUA user in AD see the more explicit tips here:

http://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118637-configure-firesight-00.html

Thanks Marvin,

If i want to configure ASA SFR module as monitor-only mode, 

and I only need collect user access information on FireSIGHT dashboard, 

no user access control, do I must still install agent to connect to domain controller?

or can FireSIGHT agentless collect user access information?

Without a SFUA, the system will give its best guess based on observed traffic.

The SFUA will be able to query the domain controller(s) via WMI and thus correlate logon/logoff events that are only available via that method.

Thanks Marvin,

Can I use a member of domain admin account to connecting between domain controller and agent instead of configure WMI?

Thanks Marvin,

I installed agent on a host and configured DC's IP and AD setting, then I can see the status is 'available' and polling log for AD are keep update, but I see the last reported columns in AD and sourcefire DC tab are empty, no user login/off event appear on FireSIGHT and which also doesn't shows user ID and IP addresses.  

I ensure the network discovery and LDAP agent & connection settings are configured, but still can't see the user information on FireSIGHT.... plz help me...

Hi CHANG,

I am facing the same issue as you were facing.

"I installed agent on a host and configured DC's IP and AD setting, then I can see the status is 'available' and polling log for AD are keep update, but I see the last reported columns in AD and sourcefire DC tab are empty, no user login/off event appear on FireSIGHT and which also doesn't shows user ID and IP addresses."

Was your case resolved? If so, please do share the solution.

Same Problem over here.... ;-)

There is a 'tools.exe" (recalling from memory) utility for troubleshooting in the SFUA installation directory.

Run it as administrator and go through the testing options it provides.

you might also check the (not quite the same but almost) guide that's provided with ISE 2.1 for querying AD.

Reference: http://www.cisco.com/c/en/us/td/docs/security/ise/2-1/admin_guide/b_ise_admin_guide_21/b_ise_admin_guide_20_chapter_01101.html?bookSearch=true#concept_8CFD8CF4072E4C7BBD01CED44D8FBC54

Hi, yes I now the testtool...

I'll tried it...

Here I tell you, i tried an Svc-Acc with following Rights:

http://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118637-configure-firesight-00.html

It doesnt work, so i take an Account (domain-Admin, Enterprise Admin, Schema-Admin) now the test-tools say, yes, it works. But the Agent doesn't map users and doesn't report to my firepower:

I set the identity Source:

I make tests, and they're communicating

the

netstat -tan | grep 330

doesnt show me the full column, but it seems to be ok.

But:

DC ist Available, Real-time Status Available,sometimes Management Center is Available, now its pending

(when i restart the Server with user Agent, sometimes everything is unknown.. )

and its never report to Firepower...

I don't really understand, the tools said we get connection, but nothing is reported? Ah.. I got a realm, and there the "user download" works really well... in between I'm really despaired, i dont really now whats wrong with the user Agent...

The issue is most often with the connection to and ability to retrieve message from AD.

Which version of User Agent are you using? I have seen fewer issues when running the latest release (currently Version 2.3)

Are you running it on the DC itself or from a another host? If you are on the DC, you need to use localhost as the target vs the IP address.

I Use the Version 2.3.10 of the user agent, and it's not on a DC just a member-server, when I read of a SQL-Compact installation, I do not wanted it on a DC...

First I thought Antivir is the problem, but on a member-server without antivir, i got similar problems and I exclude the path of the user agent from scanning