cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

8670
Views
40
Helpful
23
Replies
Karl_F
Beginner

FirePower 6.0, Initiator User showing up as "No Authenticaton Required".

I'm Running ASA5515 (9.4-2) with FP module 6.0.0 1005. FSMC 6.0.0 1005.

Under Analysis-Connections-Events-Table View of Connection Events-Initiator User  I am seeing "No Authentication Required" and not the user that should be mapped to the IP address. 

I have active directory integration configured via a Realm, which connects and sees users and allows me to download groups etc, I have an identity policy created using Passive Authentication, and added to the access control policy. I have the User Agent installed on a member server that is polling 2 DC's fine. however still no joy. 

Anyone seeing similar issues? Bug?

Thanks,

Karl.

23 REPLIES 23
Aastha Bhardwaj
Cisco Employee

Hi,


The new version introduced the concept of Authentication "realms" and login events must be
matched to a realm to be correctly associated it with an IP address. This is evident if
the "realm" field in your user activity page is blank for the logins you see.



This can happen if your AD domain has a short name since often times the logins are being
transmitted to the FMC with the short name instead of the FQDN of the domain, and then are
not matched to the correct realm if you're configured to match the FQDN.



To change this, click on System > Integration > Realms > (Realm you're using)
> Realm Configuration, and change the value of "AD Primary Domain" to the short name of
the domain. Save your changes.



Then go back to System > Integration > Realms, and click the "Download Now" button
(to the right of the state on/off switch) , and confirm that you're still able to download
the users from the LDAP connection.

Regards,

Aastha Bhardwaj

Rate if that helps!!!

Thanks for the reply Aastha, 

I have a Realm configured and I can download user and group information no problem.

Under Analysis-Users-User Activity, My Realm field is correct, and I see user to IP address mappings here no problem. I also see Authentication type "Passive Authentication".

My problem is when viewing Analysis-Connections-Events-Table View, Under the Initiator User its shows "No Authentication Required". So I can't see what user hit what URL etc...

thanks

Karl.

Hi,

What is the identity policy that you have ? I guess the default action is set to "Not authentication"

Try redeploying the policy and see if that helps.

Regards,

Aastha Bhardwaj

Rate if that helps

Hi Aastha,

The Identity policy is set to Action= Passive Authentication, the Realm is correct and its applied to the Access Control Policy... In version 5.4.1, using the user agent and AD integration with the new Realm concept, I could see users mapped to IPs from the table view of Connection events, am I right in expecting to see the same in 6.0.0? 

thanks

Karl,

Hi,

That is right in table view of connection events you should see the initiator user.

I would suggest you to open the TAC case because we have already checked the basic configuration which looks fine.

Regards,

Aastha Bhardwaj

Rate if that helps!!!

Hi Aastha,

Yes, looks like I'll have to. Thanks for your input, much appreciated!

rgds

Karl.

Hi Karl,

Did you find a solution for this bug?

Nir

Hi Nir, 

No, not yet. I am not in an immediate hurry to resolve it so am waiting for next release, if it's not resolved in that release I'll open a TAC case.

Karl. 

Have you created access rule in Access policy which includes the user for which you want to apply the control? 

Please have a look on below article  to verify the configuration and events. 

Configure Active Directory Integration with Firepower Appliance for Single-Sign-On & Captive Portal Authentication

Regards, 

Sunil Kumar

Rate if that helps !!

Hi Sunil,

I don't need to apply control on users by using identity policy.

I just want to get  mapping of IP to User (Agent sends this information to management).

This functionality is working fine before upgrade to version 6.

Regards,

Nir

I've got this same problem... anyone figure out the cause?

I click on the workstation I am generating the traffic on, in the host profile I see my identity Domain\User yet sourcefire doesn't match!??!?

I saw Initiator User as "No Authentication Required" too.

When I removed my networks in Identity policy, all users appear.

Thanks alexzelent, I removed the source filter and your suggestion worked for me as well. Do you know why? Is it a bug or am I understanding the filter incorrectly.

In my case, the Realm simply states "LDAP" not the name of the realm. 

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.
Content for Community-Ad