Contextual Awareness with AD on v6.0.0

chanccmtech · ‎12-15-2015

Good Day All!

I have customer very keen to fix the whole issue with version 6.0.0 release in their environment as of currently they just migrated their network and security devices to Cisco. However we ran into some issues with their AD on version 5.4.1.x and would like to know if we can get contextual awareness on FireSIGHT without the usage of User Agent installed on any Windows Hosts.

Current end-user are using Cisco ISE in their environment with the latest firmware upgraded and would like to have it integrated to their ASA5585-X SSP-10 with FirePOWER Svcs. using ISE to do user tagging.

However I have been trying to find out the exact steps needed to perform this, I have tried to find these information from the website and as well from needed manual, which is still unable to find the elusive "FirePOWER System User Guide v 6.0.0".

I do hope that I could seek some knowledge from this community on how can I go about to perform the integration of Fire and ISE for contextual awareness.

Do look forward for your replies! Much appreciated!

nickalleyne · ‎12-18-2015

We ran into a couple issues with the upgrade also regarding the AD awareness. One resolved, one still ongoing with a TAC. We do not use ISE, so I cannot comment, but the issues may at least have some similarities to give some thoughts on the issue.

Resolved: Users not being authenticated at all. The issue we found here, is that in realms the domain was listed as the FQDN (contoso.com), but because the user agent reads event logs, it reads the NT-4 type domain name (CON-COM). It has the be the exact same one for it to work.

Unresolved: Security groups that are assigned in rules are read properly by the Defense Center, but the groups are not passed through to the sensor. Some groups are, others are not, and it changes constantly. Workaround is to assign users manually to the rule, which is a massive headache.