Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
932
Views
0
Helpful
2
Replies

Cisco Firepower local management / user authentication

Ilya Drey
Level 1
Level 1

‎08-23-2016 02:21 PM - edited ‎03-12-2019 06:06 AM

Hello,

Could anyone tell me if it is expected behavior of Cisco ASA5515-X Firepower (v6.0.1):

I have passive authentication configured with active authentication as a fallback method. Is it ok when a passively authenticated user  logs off and then a local (not AD) user logs in he gets the access policy of the first user ? Does Firepower AD User Agent check logoff  entries in Windows security event log?

Regards,

Ilya

Labels:
0 Helpful
2 Replies 2

Marvin Rhoads
Hall of Fame
Hall of Fame

‎08-27-2016 12:30 PM

the Sourcefire User Agent checks the AD Domain controller(s) for both user login and logout events. So - yes - it should pick up that an AD-authenticated user has logged off.

The new (unknown) user should get whatever is policy is defined for unknown users (if there is one) or your default policy (if there is not)

0 Helpful

Ilya Drey
Level 1
Level 1
In response to Marvin Rhoads

‎08-27-2016 12:50 PM

Thanks for reply. I suppose that there is a bug in Firepower. Because I can see logs off events in Windows security events log. I'm sure that Firepower has no problem with User Agent communication because the device can work with logs in events (user can be passively authenticated).

I can't imagine anything to check on AD Domain controller side because User Agent can see events from Windows security events log. It seems like a problem with Firepower local management on ASA.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card