Re: Discovery Users within Firepower

Scott_22 · ‎05-29-2020

I'm am attempting to discover users within our infrastructure through a network discovery policy, but the FMC doesn't seem to discover anyone. I have a network discovery policy configured to detect users, hosts, and applications. Do I also need an identity policy mapped to a realm? Can the users be discovered via pxGrid with ISE?

ShineSudheesh · ‎05-29-2020

Dear Scott,

For getting the user details on Cisco FMC , you need to integrate your FMC with AD.

Please follow the below steps

++Configure user discovery on your network discovery policy for RFC1918

++Integrate FMC with AD using realm

++Download the user details from AD to FMC under Realm user download section

++Configure identity policy with passive authentication.

once this is successful, you should be able to see the user group details on ACP rule on user tab.

For user to IP mapping , you can use useragent. Please note user agent support is only till 6.6.

For user-agent integration, you can refer the below link.

https://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/200329-Configure-Active-Directory-Integration-w.html

Please rate if this is helpful to you.

Regards

Shine Sudheesh

Scott_22 · ‎05-29-2020

Does the identity policy need to be configured on an ACP as well?

Maykol Rojas · ‎05-29-2020

No really, you do the AD integration, and then on the ACP what you do is to pull the users/groups to build your Policy.

Mike

sreejith_r · ‎05-29-2020

Yes .You need to associate the identity policy with an access control policy to allow or block selected users from accessing specified resources.

Scott_22 · ‎05-31-2020

My questions is solely focused on network discovery. To discover users, does the Identity policy need to be applied anywhere? I know the realm obviously needs to be applied to the Identity Policy, but want to confirm that is all that is needed. End goal is to view users and their account names within analysis.

Marvin Rhoads · ‎05-31-2020

Passive user discovery will only tell you a small part of the story that can be gleaned from observing information transiting the device in clear text.

For best results use ISE via pxGrid. Of course that assumes users are being required to authenticate via network access control that ISE is enforcing and that ISE is linked to your identity source (typically AD).

Scott_22 · ‎06-01-2020

Assuming users are authenticating via ISE and pxGrid is configured, what are the steps to discover users? If pxGrid is configured are users automatically synced with the FMC?

Marvin Rhoads · ‎06-01-2020

The FMC is a subscriber to the session information coming from ISE via pxGrid. So - yes, the synchronization happens automatically for users' ISE authentication info (username and IP address) to be communicated to FMC

Scott_22 · ‎06-01-2020

Okay, so an ACE is not needed in the ACP to simply discover information about a users session? Based on this document, it mentions the following:

"The FMC may download all the users and IP address bindings to its heart’s content, but none of the data that is downloaded will be used in the policy until there is a realm configured to determine which groups and users to use in the firewall policies.....The realm is now fully configured for rule creation, along with the pxGrid integration for learning what IP addresses belong to which users and devices. Now you are ready to add identity information to the access policy rules in the FMC."

So the 2nd step of adding the identity policy to an ACP is not required for discovery only?

https://www.ciscopress.com/articles/article.asp?p=2963461&seqNum=2