01-07-2016 03:38 AM
I'm Running ASA5515 (9.4-2) with FP module 6.0.0 1005. FSMC 6.0.0 1005.
Under Analysis-Connections-Events-Table View of Connection Events-Initiator User I am seeing "No Authentication Required" and not the user that should be mapped to the IP address.
I have active directory integration configured via a Realm, which connects and sees users and allows me to download groups etc, I have an identity policy created using Passive Authentication, and added to the access control policy. I have the User Agent installed on a member server that is polling 2 DC's fine. however still no joy.
Anyone seeing similar issues? Bug?
Thanks,
Karl.
01-07-2016 09:18 AM
Hi,
The new version introduced the concept of Authentication "realms" and login events must be
matched to a realm to be correctly associated it with an IP address. This is evident if
the "realm" field in your user activity page is blank for the logins you see.
This can happen if your AD domain has a short name since often times the logins are being
transmitted to the FMC with the short name instead of the FQDN of the domain, and then are
not matched to the correct realm if you're configured to match the FQDN.
To change this, click on System > Integration > Realms > (Realm you're using)
> Realm Configuration, and change the value of "AD Primary Domain" to the short name of
the domain. Save your changes.
Then go back to System > Integration > Realms, and click the "Download Now" button
(to the right of the state on/off switch) , and confirm that you're still able to download
the users from the LDAP connection.
Regards,
Aastha Bhardwaj
Rate if that helps!!!
01-07-2016 10:02 AM
Thanks for the reply Aastha,
I have a Realm configured and I can download user and group information no problem.
Under Analysis-Users-User Activity, My Realm field is correct, and I see user to IP address mappings here no problem. I also see Authentication type "Passive Authentication".
My problem is when viewing Analysis-Connections-Events-Table View, Under the Initiator User its shows "No Authentication Required". So I can't see what user hit what URL etc...
thanks
Karl.
01-07-2016 11:01 AM
Hi,
What is the identity policy that you have ? I guess the default action is set to "Not authentication"
Try redeploying the policy and see if that helps.
Regards,
Aastha Bhardwaj
Rate if that helps
01-07-2016 11:14 AM
Hi Aastha,
The Identity policy is set to Action= Passive Authentication, the Realm is correct and its applied to the Access Control Policy... In version 5.4.1, using the user agent and AD integration with the new Realm concept, I could see users mapped to IPs from the table view of Connection events, am I right in expecting to see the same in 6.0.0?
thanks
Karl,
01-08-2016 09:34 AM
Hi,
That is right in table view of connection events you should see the initiator user.
I would suggest you to open the TAC case because we have already checked the basic configuration which looks fine.
Regards,
Aastha Bhardwaj
Rate if that helps!!!
01-08-2016 10:36 AM
Hi Aastha,
Yes, looks like I'll have to. Thanks for your input, much appreciated!
rgds
Karl.
01-14-2016 06:57 AM
Hi Karl,
Did you find a solution for this bug?
Nir
01-14-2016 08:12 AM
Hi Nir,
No, not yet. I am not in an immediate hurry to resolve it so am waiting for next release, if it's not resolved in that release I'll open a TAC case.
Karl.
01-24-2016 01:48 AM
Have you created access rule in Access policy which includes the user for which you want to apply the control?
Please have a look on below article to verify the configuration and events.
Regards,
Sunil Kumar
Rate if that helps !!
01-24-2016 02:18 AM
Hi Sunil,
I don't need to apply control on users by using identity policy.
I just want to get mapping of IP to User (Agent sends this information to management).
This functionality is working fine before upgrade to version 6.
Regards,
Nir
01-30-2016 10:29 PM
I've got this same problem... anyone figure out the cause?
I click on the workstation I am generating the traffic on, in the host profile I see my identity Domain\User yet sourcefire doesn't match!??!?
02-15-2016 01:24 AM
03-21-2016 12:42 PM
Thanks alexzelent, I removed the source filter and your suggestion worked for me as well. Do you know why? Is it a bug or am I understanding the filter incorrectly.
02-26-2016 10:03 AM
In my case, the Realm simply states "LDAP" not the name of the realm.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide