10-14-2020 09:31 AM
If we are using pxGrid as our identity service, can we allow computers based on their computer object in AD? Ex. If we want to block an AD group of computers from accessing a resource?
Solved! Go to Solution.
10-14-2020 09:56 AM
You could, but the only way the FMC/FTD would have a computer binding would be if the computer has been authenticated and is at the login prompt without a user logged in, otherwise that binding is replaced with a user/ip binding.
HTH
10-14-2020 09:56 AM
You could, but the only way the FMC/FTD would have a computer binding would be if the computer has been authenticated and is at the login prompt without a user logged in, otherwise that binding is replaced with a user/ip binding.
HTH
10-14-2020 10:32 AM
Okay, so with that being said, there's not really a way to do this if a user is logged into the machine?
10-14-2020 10:53 AM - edited 10-14-2020 10:54 AM
Interestingly I had tried that a few weeks ago and could not make it working in any way. Although I could see the computer object in the ACP users tab and add it to the selected "users", the FMC could not treat it as a user, hence no traffic was matching. When I ran some identity debug, I kept seeing that object coming as unknown with all 9s. Then I thought it might have been caused by the $ sign appended to the computer name, I went to change that on the AD, but that did not help. Also, although I could see the computer name correctly in the active sessions page, but never showed up in the connections event. My conclusion on this is that FMC can't treat the computers as users due to the object class "computer" associated to them.
10-14-2020 10:36 AM
Correct.
You'd need to block traffic based on the logged in user or group.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide