cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

1016
Views
0
Helpful
4
Replies
Highlighted
Beginner

Firepower - Allow based on AD Computer Object

If we are using pxGrid as our identity service, can we allow computers based on their computer object in AD? Ex. If we want to block an AD group of computers from accessing a resource? 

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
VIP Advisor

@Scott_22 

You could, but the only way the FMC/FTD would have a computer binding would be if the computer has been authenticated and is at the login prompt without a user logged in, otherwise that binding is replaced with a user/ip binding.

 

HTH

View solution in original post

4 REPLIES 4
Highlighted
VIP Advisor

@Scott_22 

You could, but the only way the FMC/FTD would have a computer binding would be if the computer has been authenticated and is at the login prompt without a user logged in, otherwise that binding is replaced with a user/ip binding.

 

HTH

View solution in original post

Highlighted

Okay, so with that being said, there's not really a way to do this if a user is logged into the machine?

Highlighted

Interestingly I had tried that a few weeks ago and could not make it working in any way. Although I could see the computer object in the ACP users tab and add it to the selected "users", the FMC could not treat it as a user, hence no traffic was matching. When I ran some identity debug, I kept seeing that object coming as unknown with all 9s. Then I thought it might have been caused by the $ sign appended to the computer name, I went to change that on the AD, but that did not help. Also, although I could see the computer name correctly in the active sessions page, but never showed up in the connections event. My conclusion on this is that FMC can't treat the computers as users due to the object class "computer" associated to them.

Highlighted
VIP Advisor

Correct.

You'd need to block traffic based on the logged in user or group.

Content for Community-Ad