Firepower Active Authentication unable to make it work

CSCO12002221 · ‎04-20-2016

I am trying to setup the Active and Passive Authentication with Firepower version 6 ( ASA 5585-SSP-60 )

I installed the fire power user agent and setup realm in integration. Passive Authentication works. I am seeing two problems,

1) if user is not in active directory , than trying to use Active Authentication . but on the firewall logs keep getting the packet drops, not getting the authentication window. Captive-portal is setup on the firewall. Any ideas

%ASA-4-434002: SFR requested to drop TCP packet from vlan80:10.255.111.10/53061 to identity:10.255.111.253/885

2) Passive Authentication , notice that if login with local user account ( not the domain account ) firepower don't identify the user as guest/unknown . Will keep allow the traffic with last known domain user id from that computer. Is this normal behaviour ?

Aastha Bhardwaj · ‎04-21-2016

Hi,

For the second one it is expected because the user entry is still there . The default timeout is 1440 minutes , if you want you can change that under System > Integration >Realm configuration.

For the first one I am really not quite sure but ideally it should at least prompt for the authentication window. You might need to open up a TAC case so that further analysis can be done in this.

Regards,

Aastha Bhardwaj

Rate if that helps!!!

gncomms01 · ‎04-22-2016

Thanks Aastha. I tried changing the timeout in realm configuration but this effects the Active Directory Users also. I reduce the time to 30 mins or 10 mins and notice that it is keep logging off Active directory user and shows them as unknown .

Per Tenggren · ‎04-22-2016

In the access policy on the FP, do you allow traffic to 10.255.111.253/885 ?

/Per

gncomms01 · ‎04-22-2016

I tried with Access Policy in FP . It is same behavior. for some reason it is dropping the packet .