Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3125
Views
5
Helpful
2
Replies

FirePower doesn't work when use Active Directory Group as a filter in Access Control Rule

Go to solution
suradech.por
Level 1
Level 1

‎04-24-2016 09:25 AM

I'm doing PoV of Cisco ASA with FirePower with my customer. I would like to integrate firepower to MS Active Directory. Everything seem work properly.

 

- Installation of Firepower user agent complete successfully. Connection to AD work fine. All Logs is GREEN.

- I created a Realm in FireSight and can download users and groups from Active Directory.

- I created an identity policy with passive authentication (using the Realm I've created)

- I can use AD "user" account as a filter in access control rule and it work just fine.

 

However if I create access control rule with AD "Group", the rule never get match. I'm sure that the user I test is a member of the group. Connection Event show that the system skip that rule and the traffic then is blocked by default action below. It look like Firepower doesn't know that the user belong to the group.

 

I'm using

- Firepower user agent for Active Directory v2.3 build 10.

- ASA 5515 Software Version 9.5(2)

- FirePower module version 6.0.0-1005

- Firepower Management Center for VMWare

 

Any suggestion would be appreciated. Thanks in advance.

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
yogdhanu
Cisco Employee
Cisco Employee

‎04-25-2016 03:29 AM

Hi

You would need to check the user download option under realm. Download the users once the group membership is specified on AD and then test the connection again.

Thanks

Yogesh

View solution in original post

2 Replies 2

Go to solution
yogdhanu
Cisco Employee
Cisco Employee

‎04-25-2016 03:29 AM

Hi

You would need to check the user download option under realm. Download the users once the group membership is specified on AD and then test the connection again.

Thanks

Yogesh

Go to solution
suradech.por
Level 1
Level 1
In response to yogdhanu

‎04-26-2016 12:49 AM

Thanks yogdhanu, you are correct. I haven't known before that I need to keep download users from AD to make firepower update the group membership.

However I found that your solution work only when I add a user to a group. But if I remove a user from a group, just downloading users under that realm is not enough to make it work. I also need to modify something and deploy policies to Firepower. And then firepower will recognize that the user was removed from the group.

Thanks again, your suggestion is very valuable.

Suradech

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card