10-12-2016 06:31 AM - edited 03-12-2019 06:09 AM
At the moment, we have FSMC 2000 with cisco ASA 5545-X with fire power services and also NGIPSv on UCS-E blades.
At the moment, the only way we know how to identify users are by IP address or by syncing active directory.
Is there any other way to identify users, for instance by MAC address?
Solved! Go to Solution.
10-12-2016 12:53 PM
Are you using the FirePOWER User Agent software to pull username - IP address mapping? That's the best way right now.
If you have ISE, you can use it as a supplemental identity source. (Requires FMC 6.0 or later)
10-12-2016 12:53 PM
Are you using the FirePOWER User Agent software to pull username - IP address mapping? That's the best way right now.
If you have ISE, you can use it as a supplemental identity source. (Requires FMC 6.0 or later)
10-13-2016 10:09 PM
Hello Davion,
Adding to what Marvin said, here are some helpful links for the configuration part of the same in different methods.
http://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/200329-Configure-Active-Directory-Integration-w.html
http://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/Identity_Policies_and_Realms.html
http://www.cisco.com/c/en/us/td/docs/security/firesight/user-agent/23/config-guide/Firepower-User-Agent-Configuration-Guide-v2-3.html
Rate and mark the helpful posts.
Regards
Jetsy
10-13-2016 10:18 PM
Thanks guys, i had opened a case with Cisco as well to try to get an answer, essentially they said the same thing :). i knew about both methods before but wanted to confirm. So essentially, if you aren't using AD integration, its a bit difficult to apply policies to specific users, unless static IP addresses are being used.
10-13-2016 10:50 PM
[@davion.stewart] ,
There are some more options in the pipeline but it will be early 2017 until they are available.
You do always have the option - if you have the data available - to use a static local endpoint group that maps users to mac addresses to AuthZ policy.
10-16-2016 10:49 AM
Thanks Marvin, will definitely look out for those options in 2017. As for the AuthZ policy i suppose that is something in ISE you're referring to. We currently dont have ISE in our environment but if we do ever acquire it, will be sure to look into that option
04-08-2018 09:23 AM
Hi, just read this today... what are those Other options available now ?
I have a customer that is decommissioning his on-prem DomainController & AD Server.
He's using now Azure (AD + Domain Services), but I can't make this ip/user mapping to work with it, even though I created successfully the link between on-prem FirePower and Azure AD and I can download Azure AD Users and Groups.
But whenever I use a "user" FirePower rule, I don't get a hit, and when I review the FP logs, I only see "unknown" users.
Is there a way to not use The FP Agent (the one that you install in the DC server or some domain pc) ???
(no, there is no ISE also on-prem, this is a simple & small budget network.. that's why they wanted to go with Azure now and get rid of the management labour of having an on-prem DC/AD or even an Azure DC as well)
Thanks!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: