Re: Passive Authentication not working in FireSight - Page 2

rgnelson · ‎12-15-2015

We just cannot get Firesight to be user aware at all. I can match logon events from the DC, to the SF User Agent to traffic being processed through the SFR module, and have it either hit my unknown/Anon user rule, or be denied based on no identity. I have just not been able to make this work.

We are using the Firesight Management Center for vMware, 6.0. SFR module in 5515-X:

SFR# show module sfr details
Getting details from the Service Module, please wait...

Card Type: FirePOWER Services Software Module
Model: ASA5515
Hardware version: N/A
Serial Number: <clip>
Firmware version: N/A
Software version: 6.0.0-1005
MAC Address Range: <clip>
App. name: ASA FirePOWER
App. Status: Up
App. Status Desc: Normal Operation
App. version: 6.0.0-1005
Data Plane Status: Up
Console session: Ready
Status: Up
DC addr: <clip>
Mgmt IP addr: <clip>
Mgmt Network mask: <clip>
Mgmt Gateway: <clip>
Mgmt web ports: 443
Mgmt TLS enabled: true

Firepower User Agent for Active Directory v2.3 b10 is installed on Win2K12R2. AD servers are configured, real-time events are enabled each DC status is Green." The Firesight appliance is configured in same, status is also 'Green'

I believe output from debug logging shows events are reported to Firesight appliance.

"12/15/2015 5:25:45 PM","debug","[2329] - Real Time Event Received - 12/15/2015 5:25:45 PM,<username>,<IP>,interactive"
"12/15/2015 5:25:45 PM","debug","[2203] - Reported 1 events (<dc fqdn> -> <firesight fqdn>)."

User Agent has been run as both a minimum rights user and as a domain admin for testing purposes.

Integration -> Identity Sources have the User Agents configured. Have tried both FQDN and IP.

In the Firesight Management Center a realm has been configured. I've selected 10 groups to include, I have not excluded any groups. When Download users is clicked, it downloads 10 groups, and an appropriate amount of users.

LDAP Download 1s
Download users/groups from Active Directory.
LDAP download successful: 10 groups, 235 users downloaded

The Identity Policy is configured for Passive Auth, and set to use the configured Realm. The Access Control Policy has the Identity Policy selected, and the rules have AD groups from the Realm sync. There are not so many options selected in the rules that traffic will not match, just some URL categories and the users's Groups.

Reviewing traffic in Analysis -> Connection Events, the only value in 'Initiator User' is Unknown.

Rules without users specified will have traffic match and 'work'

Analysis -> User Activity lists some users, mostly with "No Authentication" as the Auth type.

System Users are set to use External Authentication to the same AD GC's as configured in the Realm config. This works.

TIA folks!

Ehsanreza Haghzare · ‎09-13-2016

You might probably hitting the same issue as I , here is my suggestion :

1-Re-configure Realm to use (Pre-Windows 2000 NetBios Name) of Domain

2- Stop/Wipe out AD User Agents and build the config from scratch , this time put the same NetBios name as Domain name when you adding the config back on the Agent

3- Start the agent service

Ivan K. · ‎09-13-2016

still not working

I tried rewrite all FQDN to NetBIOS, reinstall AD agent and configure with NetBIOS name, delete Realm, Identity Policy Rule, Access Control Rule... and configure all from beginning but without success. New rule works as the old one. Without AD Users block page correctly, with AD Users is the Rule skipped and restricked page is displayed.

Ivan K. · ‎09-14-2016

From Agent to FirePOWER:
sudo tcpdump -i eth0 -n port 3306 -> OK

From FirePOWER to AD with Agent
sudo tcpdump -i eth0 -n port 389 -> OK

.... Passive Authentication / Access Rule with AD user still not working

Any Idea?

Kasun Bandara · ‎03-15-2018

We have implemented FMC and FP version 6.2.2 and got same issue. FMC not displayed any passive authenticated users in list. with check all cisco guides and testings we failed to find the issue. TAC case solved the issue. issue was in AD configuration. we need to enable log in and logout auditing in group policy to detect users who are login and login out. hope some one will find this helpful.

regards,

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

ndespature · ‎03-27-2018

Hi there,

We had a similar issue. Everything was correctly configured (realm/identity policy/user agent). But there was still a problem with the user agent : it was not filling up the ip map (wccih contains users login mapped to their IP address).

You might want to check the content of this map. To populate the map in order for you to see it, go to your program files directory, where the user agent is stored (usually something like ...\Program Files (x86)\Cisco Systems, Inc\Cisco Firepower User Agent for Active Directory). You should find an application called Tools. Run the app and go the "User Map" folder, check IPV4 addresses and click "Export current User / IP address map" button. That will populate a csv file containing the list of connected users.

If the file is emplty, try to relaunch the User Agent. That worked for us.

Hope that it will guide someone toward the correct direction :)

Regards

Nicolás Machado S. · ‎06-13-2018

Hi. We have a production scenario with Firepower 6.2.1 and suddenly this issue occurred in our environment. After a general reboot in datacenter, FMC started to show all users as "Unknown" so it's not possible to track who and where did anyone connect. I've done all of the possible solutions in this forum:

Restart the Firesight User Agent in our AD.
Deep check and little changes over every policy configured in our FMC: Identity, ACP, Realm. (We're using Passive Authentication only)
Change domain name to NETBIOS name in Realm configuration so that we could scratch CSCux39125.
Check that ports TCP 135 and TCP 3306 in AD server were open and working, as @tellis002 mentioned.
Check in application Tools.exe (in the folder Firesight User Agent is installed) that IPv4 addresses are related to an user by exporting the CSV file.

And... None of these options worked. I compared the results of every troubleshooting action against another 90-day-demo Firepower environment I have deployed in a lab with version 6.2.2. The results were the same except for the fact that in the lab scenario I could see who logged in against the Firesight and what was his/her IP.

I think we're gonna have to open a case in Cisco TAC.

voipleo · ‎08-22-2018

Had the same issue with no authentication from child domain. Turned out it actually were not logon events on domain controller. If you use Windows Server 2008 or later (hope you are), enable Logon/Logoff audit under Advanced Audit Policy Configuration. So you must to see events 4624 on your domain controller security log.

Also I set Realm configuration to use old-style domain name and AD agent configuration as well.

voipleo · ‎08-31-2018

Also I want to share with you some more experience.

One day AD authentication just stop working in firepower. I checked everything like thousand times, switched on and off every possible setting - no sign of error or misconfiguration.

And finally I rebooted FMC and all users got recognized. Probably 8GB of ram is not enough for VM.

Peter Roach · ‎11-29-2018

Here's snag I hit setting up a Realm and I could not get authentication to the DC in the domain to work. It turns out I had a flag set that made LDAP call have to be SSL based. I back that out on the DC and that fixed the problem.

https://support.microsoft.com/en-us/help/2545140/fast-esp-unable-to-use-active-directory-accounts-for-authentication-lo

I told the cisco tech that there could be better error reporting in the app for this problem. PR

Passive Authentication not working in FireSight

From Agent to FirePOWER:sudo tcpdump -i eth0 -n port 3306 -> OKFrom FirePOWER to AD with Agentsudo tcpdump -i eth0 -n port 389 -> OK.... Passive Authentication / Access Rule with AD user still not workingAny Idea?

From Agent to FirePOWER:
sudo tcpdump -i eth0 -n port 3306 -> OK

From FirePOWER to AD with Agent
sudo tcpdump -i eth0 -n port 389 -> OK

.... Passive Authentication / Access Rule with AD user still not working

Any Idea?