cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3280
Views
5
Helpful
2
Replies

FirePower doesn't work when use Active Directory Group as a filter in Access Control Rule

suradech.por
Level 1
Level 1

I'm doing PoV of Cisco ASA with FirePower with my customer. I would like to integrate firepower to MS Active Directory. Everything seem work properly.

 

- Installation of Firepower user agent complete successfully. Connection to AD work fine. All Logs is GREEN.

- I created a Realm in FireSight and can download users and groups from Active Directory.

- I created an identity policy with passive authentication (using the Realm I've created)

- I can use AD "user" account as a filter in access control rule and it work just fine.

 

However if I create access control rule with AD "Group", the rule never get match. I'm sure that the user I test is a member of the group. Connection Event show that the system skip that rule and the traffic then is blocked by default action below. It look like Firepower doesn't know that the user belong to the group.

 

I'm using

- Firepower user agent for Active Directory v2.3 build 10.

- ASA 5515 Software Version 9.5(2)

- FirePower module version 6.0.0-1005

- Firepower Management Center for VMWare

 

Any suggestion would be appreciated. Thanks in advance.

1 Accepted Solution

Accepted Solutions

yogdhanu
Cisco Employee
Cisco Employee

Hi

You would need to check the user download option under realm. Download the users once the group membership is specified on AD and then test the connection again.

Thanks

Yogesh

View solution in original post

2 Replies 2

yogdhanu
Cisco Employee
Cisco Employee

Hi

You would need to check the user download option under realm. Download the users once the group membership is specified on AD and then test the connection again.

Thanks

Yogesh

Thanks yogdhanu, you are correct. I haven't known before that I need to keep download users from AD to make firepower update the group membership.

However I found that your solution work only when I add a user to a group. But if I remove a user from a group, just downloading users under that realm is not enough to make it work. I also need to modify something and deploy policies to Firepower. And then firepower will recognize that the user was removed from the group.

Thanks again, your suggestion is very valuable.

Suradech

Review Cisco Networking for a $25 gift card