12-19-2017 07:11 AM - edited 02-21-2020 06:58 AM
Hello Friends,
I'm stuck in a problem where need your suggestion.
I have ASA 5555X (9.6.(3)8) with Sourcefire services (6.2.2) running in HA. I have implemented Passive authentication and Active authentication as a fallback of Passive for all my internal users and its working seamless.
The same thing I want to implement for Anyconnect users but unable to determine the best approach.
If I enable Passive authentication for Anyconnect user then there would be a mismatch of user & IP as VPN users are mean to get frequently connected and disconnected and ASA will provide different IPs (depends on ASA available IP) and I don't want my user to put credential again on the captive portal every time. SSO should be there.
Thanks in advance
12-19-2017 07:45 AM
What's the authentication server for your VPN users?
If it were ISE, you should be able to use that as an identity source in FMC.
12-19-2017 08:39 PM
Thanks Marvin for your response.
We are using Microsoft AD as an authentication source for VPN user and not using ISE as of now.
12-20-2017 04:35 AM
OK, unfortunately with AD directly as the AAA server, you won't get the mapping of user-IP address even if you use the Firepower User Agent.
I just confirmed in my lab that User Agent does not map those authentications as they are not logins in the AD sense of a user logging into a workstation. Rather they are a basic LDAP authentication of a username against the AD database. As such, the User Agent doesn't capture the WMI logon event that uses.
12-28-2017 11:27 PM
12-29-2017 04:50 AM
Adding ISE to the mix would establish an authoritative source of identity to IP mapping.
Short of that I don’t think you can do it with the ASA, Firepower and AD.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide