cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
815
Views
0
Helpful
4
Replies

Potential issue with AD connector for use in firewall policy

ABaker94985
Spotlight
Spotlight

We've had LDAP integration into our AD for many years for authentication into the FMC and FTD. However, we're trying to setup a rule, so that someone in our finance department is the only one who can get access to a particular website. When I configured the policy and entered the users domain username, it popped right up, and I was able to enter it into the policy. The website is blocked, and the connection event shows it was blocked because of a rule immediately after the one that was just created the specific user. For the "initiator user" user, the results show "not found". I'm not really sure what to try next, and I've not been able to find any Cisco documentation. Can someone provide an idea of where I can look? Thank you.

4 Replies 4

ABaker94985
Spotlight
Spotlight

Not sure if this will be of any use, but I resync'ed AD a while ago, and when I do a search for the user within Realms > Groups (Domain Users), I can find the user there. If I do a search for Realms > Users and put in the username, it says there "No groups were found" under the "Groups that contain selected user" column.

Disregard. There was a space in the search field.

balaji.bandi
Hall of Fame
Hall of Fame

what is the version of code FMC and FTD., we used 7.X  code works as expected.

have you configured Realm.

you can choose fall back - Here you can choose fall back method as Active authentication if passive authentication cannot identify the user identity

https://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/200329-Configure-Active-Directory-Integration-w.html

also good steps to diagnosis :

https://integratingit.wordpress.com/2019/10/26/ftd-user-identity/

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

ABaker94985
Spotlight
Spotlight

Sorry about that, but I had intended to provide code versions: 7.0.4 for FMC and FTD. 

Realm is configured within the Identity Policy, but active authentication is not enabled. Also, the current access control policy has the identity policy configured. As I stated previously, the rule within the ACP can select the user, and AD seems to sync OK. All the info within the diagnosis article are null. Let me read through these closer - I know something is misconfigured that's probably in the articles. Thank you.

ABaker94985_0-1671486730670.png

ABaker94985_1-1671487242616.png

 

 

Herald Sison
Level 3
Level 3

i have experienced that before and my resolution is having a CISCO ISE VM installed. this may help: https://www.youtube.com/watch?v=jFFhoqrR9W0 and also setup a Realms in FMC.

https://www.ciscozine.com/cisco-fmc-ise-pic-pxgrid/ hope this helps, you can contact TAC for the license info, in my case i requested that i should have license for ISE PIC since they have transitioned from agents to ISE.

 

HeraldSison_0-1671556396810.png

 

 

Review Cisco Networking for a $25 gift card