08-23-2016 02:21 PM - edited 03-12-2019 06:06 AM
Hello,
Could anyone tell me if it is expected behavior of Cisco ASA5515-X Firepower (v6.0.1):
I have passive authentication configured with active authentication as a fallback method. Is it ok when a passively authenticated user logs off and then a local (not AD) user logs in he gets the access policy of the first user ? Does Firepower AD User Agent check logoff entries in Windows security event log?
Regards,
Ilya
08-27-2016 12:30 PM
the Sourcefire User Agent checks the AD Domain controller(s) for both user login and logout events. So - yes - it should pick up that an AD-authenticated user has logged off.
The new (unknown) user should get whatever is policy is defined for unknown users (if there is one) or your default policy (if there is not)
08-27-2016 12:50 PM
Thanks for reply. I suppose that there is a bug in Firepower. Because I can see logs off events in Windows security events log. I'm sure that Firepower has no problem with User Agent communication because the device can work with logs in events (user can be passively authenticated).
I can't imagine anything to check on AD Domain controller side because User Agent can see events from Windows security events log. It seems like a problem with Firepower local management on ASA.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide