cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1377
Views
0
Helpful
3
Replies

Macintosh computers unaffected by allow rules in access control

jacenkoj33
Level 1
Level 1

Last week my company revised their policy to become hitrust compliant. As part of this compliance will be to lock down the network to prevent data leaks. Also one of the subisdaries is somewhat out of scope from this as they're a marketing agency and need to continue to do business as usual interfacing with the custromer and customer data using web sites and services that need to be blocked. 

So to accomdate the marketing branch I created allow rules higher in the access list to essentially bypass the content that is now blocked company wide. These rules tested out OK using a windows pc but I never imagined the macintosh would behave differently. 

To deal with ongoing administration I created security groups in AD and added users to each based on which exemption was approved for their department. In the allow rules I added the security group for each corresponding allowed access. 

What ended up happening is users with windows computers were granted their exemption through the allow rules but the macintosh users continued to be blocked by the company wide block rule. I then tried by user ad account name and even machine IP addess to no avail. 

My question is: Is anyone else in the community coming up against this same issue with their Macintosh and or does anyone have an idea to get these Macintosh computers to play by the rules so to speak?

To give you an idea of what is happening in sourcefire is not relating a user to the IP and mac address of the Macintosh

The sourcefire blocked facebook on this 10.40.2.20 IP address.

 When I looked it up, it came up with no current user.

I attached a screenshot of the host profile if anyone cares to take a look.

 

Thanks a bunch... 

1 Accepted Solution

Accepted Solutions

Dinkar Sharma
Cisco Employee
Cisco Employee

Hi,

MAC user can not be a part of the windows domain. Have you integrated MAC for AD authentication? I have seen some posts on internet about it but i am not sure though. I don't think this will work for MAC users. The bottom line is, user should get authenticated from AD and a logon event should be generated on AD (I believe 4624). User agent reads that event and then informs the FMC and that's how FMC learns about User-to-ip mapping.

Thanks,

Dinkar

View solution in original post

3 Replies 3

Dinkar Sharma
Cisco Employee
Cisco Employee

Hi,

MAC user can not be a part of the windows domain. Have you integrated MAC for AD authentication? I have seen some posts on internet about it but i am not sure though. I don't think this will work for MAC users. The bottom line is, user should get authenticated from AD and a logon event should be generated on AD (I believe 4624). User agent reads that event and then informs the FMC and that's how FMC learns about User-to-ip mapping.

Thanks,

Dinkar

Thanks Dinkar,

That is a similar answer we received from a cisco rep demo'ing another technology for my company. It came to light that the type of authentication that Macintosh's use is not sufficient for the sourcefire to resolve the account to an IP. I guess it might be possible if additional software were used on the Macintosh to force it to play nice with Microsoft Active Directory but it's a significant cost if you have many Macs in your environment. Thanks much for your response to a very odd scenario. 

To accomplish this, I would recommend you to use the Active Authentication for Mac User which has introduced in Firepower version 6.0.0. 

Please have a look on below article 

Configure Active Directory Integration with Firepower Appliance for Single-Sign-On & Captive Portal Authentication

Regards, 

Sunil Kumar

Rate if this helps !!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: