Thanks Marvin for your response.

 

We are using Microsoft AD as an authentication source for VPN user and not using ISE as of now.

OK, unfortunately with AD directly as the AAA server, you won't get the mapping of user-IP address even if you use the Firepower User Agent.

 

I just confirmed in my lab that User Agent does not map those authentications as they are not logins in the AD sense of a user logging into a workstation. Rather they are a basic LDAP authentication of a username against the AD database. As such, the User Agent doesn't capture the WMI logon event that uses.

Thanks Marvin for your support.
But in that case, what is the best possible solution for us?
As I understood, Passive authentication will not work here & if I decide to use Active authentication, I think that will also not work properly.
Let me explain, let's take an example:-
User1 has connected over VPN and got IP1 --> He accessed Internet post successful authentication on Captive portal
Now User1 has disconnected from VPN after some time but his Internet session still remains active on FMC & SFR
Now, User2 has tried connecting VPN and got the same IP from ASA --> As FMC/SFR is already having a session associated with that IP, it will simply allow the internet connection without asking any authentication which is a kind of identity breach, user will be able to access that type of Internet content for which that user is not allowed.

Please help with practical solution.

Adding ISE to the mix would establish an authoritative source of identity to IP mapping.

 

Short of that I don’t think you can do it with the ASA, Firepower and AD.