Thanks for the reply Aastha,

Karl_F · ‎01-07-2016

I'm Running ASA5515 (9.4-2) with FP module 6.0.0 1005. FSMC 6.0.0 1005.

Under Analysis-Connections-Events-Table View of Connection Events-Initiator User I am seeing "No Authentication Required" and not the user that should be mapped to the IP address.

I have active directory integration configured via a Realm, which connects and sees users and allows me to download groups etc, I have an identity policy created using Passive Authentication, and added to the access control policy. I have the User Agent installed on a member server that is polling 2 DC's fine. however still no joy.

Anyone seeing similar issues? Bug?

Thanks,

Karl.

Aastha Bhardwaj · ‎01-07-2016

Hi,

The new version introduced the concept of Authentication "realms" and login events must be
matched to a realm to be correctly associated it with an IP address. This is evident if
the "realm" field in your user activity page is blank for the logins you see.

This can happen if your AD domain has a short name since often times the logins are being
transmitted to the FMC with the short name instead of the FQDN of the domain, and then are
not matched to the correct realm if you're configured to match the FQDN.

To change this, click on System > Integration > Realms > (Realm you're using)
> Realm Configuration, and change the value of "AD Primary Domain" to the short name of
the domain. Save your changes.

Then go back to System > Integration > Realms, and click the "Download Now" button
(to the right of the state on/off switch) , and confirm that you're still able to download
the users from the LDAP connection.

Regards,

Aastha Bhardwaj

Rate if that helps!!!

Karl_F · ‎01-07-2016

Thanks for the reply Aastha,

I have a Realm configured and I can download user and group information no problem.

Under Analysis-Users-User Activity, My Realm field is correct, and I see user to IP address mappings here no problem. I also see Authentication type "Passive Authentication".

My problem is when viewing Analysis-Connections-Events-Table View, Under the Initiator User its shows "No Authentication Required". So I can't see what user hit what URL etc...

thanks

Karl.

Aastha Bhardwaj · ‎01-07-2016

Hi,

What is the identity policy that you have ? I guess the default action is set to "Not authentication"

Try redeploying the policy and see if that helps.

Regards,

Aastha Bhardwaj

Rate if that helps

Karl_F · ‎01-07-2016

Hi Aastha,

The Identity policy is set to Action= Passive Authentication, the Realm is correct and its applied to the Access Control Policy... In version 5.4.1, using the user agent and AD integration with the new Realm concept, I could see users mapped to IPs from the table view of Connection events, am I right in expecting to see the same in 6.0.0?

thanks

Karl,

Aastha Bhardwaj · ‎01-08-2016

Hi,

That is right in table view of connection events you should see the initiator user.

I would suggest you to open the TAC case because we have already checked the basic configuration which looks fine.

Regards,

Aastha Bhardwaj

Rate if that helps!!!

Karl_F · ‎01-08-2016

Hi Aastha,

Yes, looks like I'll have to. Thanks for your input, much appreciated!

rgds

Karl.

nir-r · ‎01-14-2016

Hi Karl,

Did you find a solution for this bug?

Nir

Karl_F · ‎01-14-2016

Hi Nir,

No, not yet. I am not in an immediate hurry to resolve it so am waiting for next release, if it's not resolved in that release I'll open a TAC case.

Karl.

Sunil Kumar · ‎01-24-2016

Have you created access rule in Access policy which includes the user for which you want to apply the control?

Please have a look on below article to verify the configuration and events.

Configure Active Directory Integration with Firepower Appliance for Single-Sign-On & Captive Portal Authentication

Regards,

Sunil Kumar

Rate if that helps !!

nir-r · ‎01-24-2016

Hi Sunil,

I don't need to apply control on users by using identity policy.

I just want to get mapping of IP to User (Agent sends this information to management).

This functionality is working fine before upgrade to version 6.

Regards,

Nir

dbert · ‎01-30-2016

I've got this same problem... anyone figure out the cause?

I click on the workstation I am generating the traffic on, in the host profile I see my identity Domain\User yet sourcefire doesn't match!??!?

alexzelent · ‎02-15-2016

I saw Initiator User as "No Authentication Required" too.

When I removed my networks in Identity policy, all users appear.

Pacerfan9_2 · ‎03-21-2016

Thanks alexzelent, I removed the source filter and your suggestion worked for me as well. Do you know why? Is it a bug or am I understanding the filter incorrectly.

Christopher Bell · ‎02-26-2016

In my case, the Realm simply states "LDAP" not the name of the realm.

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.

FirePower 6.0, Initiator User showing up as "No Authenticaton Required".