Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
578
Views
0
Helpful
2
Replies

Firesight user mapping issue with mobile devices

inlandprinting
Level 1
Level 1

‎06-14-2016 09:04 AM - edited ‎03-12-2019 06:02 AM

In a previous post i was able to figure out why firesight was not mapping users to hosts correctly.  now i have a different problem.  my mobile users who have email access reside on my internal wifi network.  the DHCP pool is the same for our shop computers which have restricted access.  when a mobile device gets a DHCP address that was previously used by a shop computer it gets blocked.  I assume this is because the mobile device does not authenticate and so firesight continues to assume the ip is in use by the shop computer user.  anyone know of a good way to get around this?  i was thinking of creating a rule based on device OS, but firesight does not seem to have that capability.  i'm sure i'm not the only one facing these problems.  i'd really like to avoid creating an entirely separate SSID just to get around this system shortcoming.

Thanks,

Labels:
0 Helpful
2 Replies 2

yogdhanu
Cisco Employee
Cisco Employee

‎06-14-2016 09:19 AM

Hi

If you are using user identity service based on user agent, its expected. User Agent learns the use-ip map from AD logon events (event ID 4624) so when mobile users have that IP and there is no logon event for that mobile so the mapping doesn't happen.  User agent cannot poll the mobile directly as its not windows.

1 way to overcome this is to use Cisco ISE integration for user awareness. Its supported starting from 6.0 version. Have all the users authenticate via ISE and integrate that with the firepower which should solve the issue.

You can also use captive portal but there , users will have to enter their username password on browser.

Rate if helps,

Yogesh

0 Helpful

bezcomservices
Level 1
Level 1
In response to yogdhanu

‎08-29-2016 11:41 PM

It is quite disappointing that Cisco is unable to acheive this simple task between their own devices.

Both Palo Alto and Fortinet can obtain these mappings by having an agent receive radius accounting information from the WLC which then forwards these to the appliance.

Hopefully Cisco will pull their finger out and add this feature to a future release in order to bring functionality a little closer to two of their major competitors.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card