Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1261
Views
0
Helpful
3
Replies

Install Cisco Firepower User Agent for Active Directory.

cisco8887
Level 2
Level 2

‎08-30-2017 09:03 AM - edited ‎02-21-2020 06:15 AM

Hi All,

 

 

where do you install the agent for user mapping ?

 

I understand it must be AD,if so does that mean all ADs?

 

how about if you use NTLM, does the browser automatically authenticate the user using their current session?

 

Thanks

1 person had this problem
Labels:
0 Helpful
3 Replies 3

Marvin Rhoads
Hall of Fame
Hall of Fame

‎08-30-2017 11:31 AM

The User Agent can be installed on any Windows host in your Active Directory (AD) domain. A given user agent can support up to four Domain Controllers (DCs). Altogether you must have a User Agent querying every DC in your domain that processes user login events.

 

With respect to NTLM authentication, the Firepower User Guide informs us as follows:

 

"If transparent authentication is configured in a user's browser, the user is automatically logged in. If transparent authentication is not configured, users log in to the network using their browser's default authentication popup window."

0 Helpful

cisco8887
Level 2
Level 2
In response to Marvin Rhoads

‎08-30-2017 01:08 PM

many thanks

 

will it pull all 4 DCs at the same time on the interval setup ?

 

So If I have 12 DCs then i need 3 agents ? One question is how will it deal with conflicts ?

 

 

Finally, if I use NTLM, can it attempt to find the user and if not pass rather than block ?

 

Out of interest does the agent reads the event logs to determine usermapping ?

if so does the agent username needs to have certain domain rights?

 

 

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to cisco8887

‎08-30-2017 08:33 PM

Yes -12 DCs would require 3 User Agent instances.

 

I'm not positive on how it handles the polling intervals under the covers. I don't believe that's publicly documented explicitly. You should be able to look at the event logs on the system where User Agent is installed to see the polling events and their timestamp.

Details are shown here:

https://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118159-troubleshoot-firesite-00.html

 

You access control policy can have a default rule or set of rules to be used in the event of no available authentication status.

 

User Agent queries the Windows Event Log using WMI. So yes, some minimum privileges are required. there is a technot detailing them here:

https://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118637-configure-firesight-00.html

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card