Solved: Congratulations!

n.avramenko87 · ‎07-13-2016

Hello! It's me again.Read all the documentation but have not found the answer. Problem with Network Discovery with users.

I have created:

1.Policy - Network Discovery - Network - Here I added networks, zone and actions (discover user host application)

2.Policy - Network Discovery - Users - Here add all protocols

Then created:

3.Policy - access control - with some rules (use discovery only by default)

How I understand for first time that all. But the system can not find users (It is find only users that use FTP)

May be it is need to use NetFlow Devices? What am I doing wrong? Thank you!

yogdhanu · ‎07-13-2016

Hi

Network discovery does discover hosts and applications but this cannot be used in access control policy for user based rules.

Network discovery's primary usage is for IPS policies firesight recommendation and awareness about the user data in firesifght.

For access control policies, Firepower needs to have user-ip mapping based on which it can apply the rules.

You would need user agent which can get the user IP mapping and then this whole config on firepower which will work along with that.

http://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/200329-Configure-Active-Directory-Integration-w.html

http://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118131-technote-sourcefire-00.html

The above articles will help.

Rate if helps.

Yogesh

View solution in original post

yogdhanu · ‎07-13-2016

Hi

Network discovery does discover hosts and applications but this cannot be used in access control policy for user based rules.

Network discovery's primary usage is for IPS policies firesight recommendation and awareness about the user data in firesifght.

For access control policies, Firepower needs to have user-ip mapping based on which it can apply the rules.

You would need user agent which can get the user IP mapping and then this whole config on firepower which will work along with that.

http://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/200329-Configure-Active-Directory-Integration-w.html

http://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118131-technote-sourcefire-00.html

The above articles will help.

Rate if helps.

Yogesh

n.avramenko87 · ‎07-13-2016

THANK YOU! Sorry for my stupidity!

Here:Navigate to Policies > Access Control > Rules > Users I see users and groups that I added in Users - LDAP Connections . This means that all must work. I will check! Thak you for your time.

n.avramenko87 · ‎07-14-2016

I think i found my problem! It is problem with access to DC. I try to install agent to another computer (not domain) and have error - unable to read security log on DC. Trying to solve! P.S. very strange - I have not this error if I try to add AD in agent that installed on DC.

yogdhanu · ‎07-14-2016

Hi

Use this to verify the permission.

http://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118637-configure-firesight-00.html

http://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118159-troubleshoot-firesite-00.html

Hope it helps

Yogesh

n.avramenko87 · ‎07-15-2016

O GODS) I find mistake) Problems were with politics on domain.

Enable Audit Logoff. Enable Audit Logon. A now I see users. Woooo!!! Error An error occured while fetching encryption bytes from 'C:\UserAgentEncryptionBytes.bin': Specified key is not a valid size for this algorithm.." is left. But see users! YHANK YOU!

Jetsy Mathew · ‎07-15-2016

Hello,

Please check that the file UserAgentEncryptionBytes.bin file is present and has a size greater than 0.

Delete UserAgentEncryptionBytes.bin

Enable the Cisco User Agent Service to run as a different user:

Please follow the steps :-

Open the Service console

Start > Run > services.msc (or through Administrative Tools)

Right Click and Choose Properties for Cisco Firpower User Agent

Select Log On tab

Specify a known account with proper rights to run the service

http://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118637-configure-firesight-00.html

Appl and Start the Service

Verify the C:\UserAgentEncryptionBytes.bin is recreated and has a size greater than 0

Rate if the post helps you

Regards

Jetsy

n.avramenko87 · ‎07-15-2016

O! I already try to do this.And i did not help me. Yes. size of this file 0 bytes.

Ed Padilla Jr · ‎07-15-2016

I dont use the agent, and I can manage get user information, by using the LDAP authentication module. Making sure you capture in the Org all the parameters. Haven's said that, using the User Agent at the Domain controller is the prefer way. You need to work with the Windows Admin, and check all the policies, and logging, ports, etc. Happy troubleshooting

n.avramenko87 · ‎07-20-2016

HEllo friends! Thank you for your advices! I not use agent! How I understant it needed only if I want use access policy in firepower. I do not need it! I see all my users and theirs activity.

Ed Padilla Jr · ‎07-25-2016

Congratulations!

Jetsy Mathew · ‎07-13-2016

Hello Avram,

As I told you in some of the previous replies for your Useragent queries last week , user based access control policies can be created only by installing the Firepower Useragent. Once the user agent is installed properly you can create the AC policy based on specific users. Navigate to Policies > Access Control > Rules > Users - Under users you should be able to search for the users that you fetched from the AD. If you are not able to fetch the users , that means the user agent installation or communication is not proper.

Rate if the post helps you.

Regards

Jetsy

Network Users Discovery.