Solved: Re: @Davion Stewart ,

Davion Stewart · ‎10-12-2016

At the moment, we have FSMC 2000 with cisco ASA 5545-X with fire power services and also NGIPSv on UCS-E blades.

At the moment, the only way we know how to identify users are by IP address or by syncing active directory.

Is there any other way to identify users, for instance by MAC address?

Marvin Rhoads · ‎10-12-2016

Are you using the FirePOWER User Agent software to pull username - IP address mapping? That's the best way right now.

If you have ISE, you can use it as a supplemental identity source. (Requires FMC 6.0 or later)

View solution in original post

Marvin Rhoads · ‎10-12-2016

Are you using the FirePOWER User Agent software to pull username - IP address mapping? That's the best way right now.

If you have ISE, you can use it as a supplemental identity source. (Requires FMC 6.0 or later)

Jetsy Mathew · ‎10-13-2016

Hello Davion,

Adding to what Marvin said, here are some helpful links for the configuration part of the same in different methods.

http://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/200329-Configure-Active-Directory-Integration-w.html

http://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/Identity_Policies_and_Realms.html

http://www.cisco.com/c/en/us/td/docs/security/firesight/user-agent/23/config-guide/Firepower-User-Agent-Configuration-Guide-v2-3.html

Rate and mark the helpful posts.

Regards

Jetsy

Davion Stewart · ‎10-13-2016

Thanks guys, i had opened a case with Cisco as well to try to get an answer, essentially they said the same thing :). i knew about both methods before but wanted to confirm. So essentially, if you aren't using AD integration, its a bit difficult to apply policies to specific users, unless static IP addresses are being used.

Marvin Rhoads · ‎10-13-2016

[@davion.stewart] ,

There are some more options in the pipeline but it will be early 2017 until they are available.

You do always have the option - if you have the data available - to use a static local endpoint group that maps users to mac addresses to AuthZ policy.

Davion Stewart · ‎10-16-2016

Thanks Marvin, will definitely look out for those options in 2017. As for the AuthZ policy i suppose that is something in ISE you're referring to. We currently dont have ISE in our environment but if we do ever acquire it, will be sure to look into that option

ivan.arizmendi · ‎04-08-2018

Hi, just read this today... what are those Other options available now ?

I have a customer that is decommissioning his on-prem DomainController & AD Server.

He's using now Azure (AD + Domain Services), but I can't make this ip/user mapping to work with it, even though I created successfully the link between on-prem FirePower and Azure AD and I can download Azure AD Users and Groups.

But whenever I use a "user" FirePower rule, I don't get a hit, and when I review the FP logs, I only see "unknown" users.

Is there a way to not use The FP Agent (the one that you install in the DC server or some domain pc) ???

(no, there is no ISE also on-prem, this is a simple & small budget network.. that's why they wanted to go with Azure now and get rid of the management labour of having an on-prem DC/AD or even an Azure DC as well)

Thanks!

Identifying users in fire power