Solved: Re: Firepower - Allow based on AD Computer Object

Scott_22 · ‎10-14-2020

If we are using pxGrid as our identity service, can we allow computers based on their computer object in AD? Ex. If we want to block an AD group of computers from accessing a resource?

Rob Ingram · ‎10-14-2020

@Scott_22

You could, but the only way the FMC/FTD would have a computer binding would be if the computer has been authenticated and is at the login prompt without a user logged in, otherwise that binding is replaced with a user/ip binding.

HTH

View solution in original post

Rob Ingram · ‎10-14-2020

@Scott_22

You could, but the only way the FMC/FTD would have a computer binding would be if the computer has been authenticated and is at the login prompt without a user logged in, otherwise that binding is replaced with a user/ip binding.

HTH

Scott_22 · ‎10-14-2020

Okay, so with that being said, there's not really a way to do this if a user is logged into the machine?

Aref Alsouqi · ‎10-14-2020

Interestingly I had tried that a few weeks ago and could not make it working in any way. Although I could see the computer object in the ACP users tab and add it to the selected "users", the FMC could not treat it as a user, hence no traffic was matching. When I ran some identity debug, I kept seeing that object coming as unknown with all 9s. Then I thought it might have been caused by the $ sign appended to the computer name, I went to change that on the AD, but that did not help. Also, although I could see the computer name correctly in the active sessions page, but never showed up in the connections event. My conclusion on this is that FMC can't treat the computers as users due to the object class "computer" associated to them.

Rob Ingram · ‎10-14-2020

Correct.

You'd need to block traffic based on the logged in user or group.