I'm Running ASA5515 (9.4-2) with FP module 6.0.0 1005. FSMC 6.0.0 1005.
Under Analysis-Connections-Events-Table View of Connection Events-Initiator User I am seeing "No Authentication Required" and not the user that should be mapped to the IP address.
I have active directory integration configured via a Realm, which connects and sees users and allows me to download groups etc, I have an identity policy created using Passive Authentication, and added to the access control policy. I have the User Agent installed on a member server that is polling 2 DC's fine. however still no joy.
Anyone seeing similar issues? Bug?
The new version introduced the concept of Authentication "realms" and login events must be
matched to a realm to be correctly associated it with an IP address. This is evident if
the "realm" field in your user activity page is blank for the logins you see.
This can happen if your AD domain has a short name since often times the logins are being
transmitted to the FMC with the short name instead of the FQDN of the domain, and then are
not matched to the correct realm if you're configured to match the FQDN.
To change this, click on System > Integration > Realms > (Realm you're using)
> Realm Configuration, and change the value of "AD Primary Domain" to the short name of
the domain. Save your changes.
Then go back to System > Integration > Realms, and click the "Download Now" button
(to the right of the state on/off switch) , and confirm that you're still able to download
the users from the LDAP connection.
Rate if that helps!!!
Thanks for the reply Aastha,
I have a Realm configured and I can download user and group information no problem.
Under Analysis-Users-User Activity, My Realm field is correct, and I see user to IP address mappings here no problem. I also see Authentication type "Passive Authentication".
My problem is when viewing Analysis-Connections-Events-Table View, Under the Initiator User its shows "No Authentication Required". So I can't see what user hit what URL etc...
What is the identity policy that you have ? I guess the default action is set to "Not authentication"
Try redeploying the policy and see if that helps.
Rate if that helps
The Identity policy is set to Action= Passive Authentication, the Realm is correct and its applied to the Access Control Policy... In version 5.4.1, using the user agent and AD integration with the new Realm concept, I could see users mapped to IPs from the table view of Connection events, am I right in expecting to see the same in 6.0.0?
That is right in table view of connection events you should see the initiator user.
I would suggest you to open the TAC case because we have already checked the basic configuration which looks fine.
Rate if that helps!!!
No, not yet. I am not in an immediate hurry to resolve it so am waiting for next release, if it's not resolved in that release I'll open a TAC case.
Have you created access rule in Access policy which includes the user for which you want to apply the control?
Please have a look on below article to verify the configuration and events.
Rate if that helps !!
I don't need to apply control on users by using identity policy.
I just want to get mapping of IP to User (Agent sends this information to management).
This functionality is working fine before upgrade to version 6.
I've got this same problem... anyone figure out the cause?
I click on the workstation I am generating the traffic on, in the host profile I see my identity Domain\User yet sourcefire doesn't match!??!?
Thanks alexzelent, I removed the source filter and your suggestion worked for me as well. Do you know why? Is it a bug or am I understanding the filter incorrectly.
In my case, the Realm simply states "LDAP" not the name of the realm.