Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
654
Views
0
Helpful
4
Replies

Potential issue with AD connector for use in firewall policy

ABaker94985
Spotlight
Spotlight

‎12-19-2022 11:38 AM

We've had LDAP integration into our AD for many years for authentication into the FMC and FTD. However, we're trying to setup a rule, so that someone in our finance department is the only one who can get access to a particular website. When I configured the policy and entered the users domain username, it popped right up, and I was able to enter it into the policy. The website is blocked, and the connection event shows it was blocked because of a rule immediately after the one that was just created the specific user. For the "initiator user" user, the results show "not found". I'm not really sure what to try next, and I've not been able to find any Cisco documentation. Can someone provide an idea of where I can look? Thank you.

0 Helpful
4 Replies 4

ABaker94985
Spotlight
Spotlight

‎12-19-2022 11:53 AM - edited ‎12-19-2022 12:27 PM

Not sure if this will be of any use, but I resync'ed AD a while ago, and when I do a search for the user within Realms > Groups (Domain Users), I can find the user there. If I do a search for Realms > Users and put in the username, it says there "No groups were found" under the "Groups that contain selected user" column.

Disregard. There was a space in the search field.

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame

‎12-19-2022 11:54 AM - edited ‎12-19-2022 11:56 AM

what is the version of code FMC and FTD., we used 7.X  code works as expected.

have you configured Realm.

you can choose fall back - Here you can choose fall back method as Active authentication if passive authentication cannot identify the user identity

https://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/200329-Configure-Active-Directory-Integration-w.html

also good steps to diagnosis :

https://integratingit.wordpress.com/2019/10/26/ftd-user-identity/

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

ABaker94985
Spotlight
Spotlight

‎12-19-2022 02:02 PM

Sorry about that, but I had intended to provide code versions: 7.0.4 for FMC and FTD. 

Realm is configured within the Identity Policy, but active authentication is not enabled. Also, the current access control policy has the identity policy configured. As I stated previously, the rule within the ACP can select the user, and AD seems to sync OK. All the info within the diagnosis article are null. Let me read through these closer - I know something is misconfigured that's probably in the articles. Thank you.

ABaker94985_0-1671486730670.png

ABaker94985_1-1671487242616.png

 

 

0 Helpful

Herald Sison
Level 3
Level 3

‎12-20-2022 09:15 AM

i have experienced that before and my resolution is having a CISCO ISE VM installed. this may help: https://www.youtube.com/watch?v=jFFhoqrR9W0 and also setup a Realms in FMC.

https://www.ciscozine.com/cisco-fmc-ise-pic-pxgrid/ hope this helps, you can contact TAC for the license info, in my case i requested that i should have license for ISE PIC since they have transitioned from agents to ISE.

 

HeraldSison_0-1671556396810.png

 

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card