cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
11710
Views
1
Helpful
30
Replies

Does ASA with FirePower integrated AD must install agent?

Ryan YC
Level 1
Level 1

Hi,

 

I recently having lab for ASA with FirePower integrated Microsoft AD deployment,

but I am wondering whether FirePower must install agent on AD server?

 

I installed agent on AD server and setting LDAP connection on FireSIGHT VDC server,

then it can fetch AD forest, and dashboard about source/destination user is all can display user information, 

but I tried remove agent and stop service on AD, then the FireSIGHT VDC is still can settings LDAP connection,

 

so i am wondering whether FirePower must install agent on AD server,

If not, has different between both install or uninstall?

 

please help, thanks!

 

 

30 Replies 30

Just to cover all the bases...did you setup FireSIGHT to receive the user data?

i set the Identity Source, with IP of the user agent, i Setup a realm an download users.. 

And at the Access Policy i set selected User: MYDOMAIN/*

and at Advanced i set my identity policy

At the Identity Policy I import my Realm set to enabled with "passive Authentication"

I ran across an issue like this where it was caused by a Windows Server patch. Cisco has identified this bug as CSCva32331. Basically it required TLS? traffic to be a minimum of 1024-bit and so Windows Server wouldn't talk to Firesight. I had to create a registry key to lower the minimum bitrate to 512.

This was supposed to be fixed in Firepower 6.1 but I haven't installed it yet to verify.

So you can do 1 of 2 things.

#1: Uninstall KB3161606 from your Windows Server

#2: Go through steps below:

1. Click Start, click Run, type regedit in the Open box, and then click OK.
2. Locate and then click the following subkey in the registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\
3. On the edit Menu, point to new and click Key, name the new Key "Diffie-Hellman"
4. Navigate the the new Key created.
3. On the Edit menu, point to New, and then click DWORD Value.
4. Type ClientMinKeyBitLength for the name of the DWORD, and then press Enter.
5. Right-click ClientMinKeyBitLength, and then click Modify.
6. In the Value data box, type 00000200 (keep this in hexidecimal format), and then click OK.

After this is completed, you will need to restart the User Agent server.

hm.. now it seams everything is available, but still nothing at "last reported"... it is really frustrating...

You need to verify that you have logon and logoff events enabled and that they're being logged.

Ok, i thought a DC would log logon and logoff events automaticly,

so i make an GPO for the whole domain with

enable logon logoff events

should it set for everybody and filtered for domain-users and domain-computers?

i've setted it for Domain-users yesterday and today nothing happened....

I have this set on the Default Domain Controllers Policy. The security filtering is set to Authenticated Users, Enterprise Admins, and SYSTEM (these were there before so I didn't adjust them).

yes, it was activated with my own gpo object, now i delete the old object and set it on Defaul DC Policy...

but for me it seems like, the user agent isnt working...

Do you got no idea, why it doesnt map Users?

Hi Marvin,

If my Firepower agent gets corrupted or for some issue it is not able to send logs to ASA, how would the access go? Would there be some issue in it?

What will happen to new connections?

Can we install the agent on a VM?

Also is there any software requirement for FMC? I know we need a VM with 256 GB memory , 8 gb memory , 4 cpu?

Is there any other thing which I need before I place my order.

Thanks in advance!!

Regards

Vaibhav

I have used User Agent 2.3 with good success on several installations. I try to install it locally on the DC(s) if possible. If it is not working it would only affect connections if your Access Control Policy used users or groups they belong to. Your reporting would also not be able to ascertain the username.

On the FMC you need at least those minimums. It doesn't help a lot but I usually try to double the RAM and vCPU allocation if the resources are available. Cisco does not allow you to change the allocated disk storage.

Hi Marvin,

Thanks for this. 

We are thinking of only making the policies based on user names and groups.

So if our agent fails, would the connection fail.

If we add a backup policy , for LAN--> internet http,https.. would it hit after agent fails.

I do not want to affect any normal traffic because of it being traffic dependent. Is it advisable to use multiple agents?

Thanks in advance!!

Regards

Vaibhav

Access Control Policy (ACP) rules are evaluated from the top down and the first match ends the rule processing. So if you have a catch all rule or set of rules at the bottom of the list they would be evaluated in the event that an earlier rule was not matched.

If you have ISE you can also use it as an alternative identity source. There is even a new lightweight ISE license type known as ISE PIC (Passive Identity Connector) that does not required a full blown 802.1x deployment of Network Access Control.

hi,

With FTD can we integrate Active Directory without Agent being installed in the environment. Like Agentless User-ID available in Palo Alto. thanks in advance.

It depends on your requirement.

If you are using ACP rules based on user then you need to have agent. But
if you are looking to import groups for role based access to FTD/FMC then
agent isn't required.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: