Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2376
Views
5
Helpful
6
Replies

SourceFire AD agent and MACos users

Go to solution
Maher Shaban
Level 1
Level 1

‎04-23-2017 03:03 AM - edited ‎03-12-2019 06:22 AM

Dears,

we have sourcefire AD agent installed on windows server 2016. all users are shown in the access logs except for user logged in from MACos devices.

is there any fix for such issue?

Thanks,

Maher

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Maher Shaban

‎04-23-2017 07:12 AM

I suspect they may not be generating logon/logoff events in the Windows Security Event log.

On the Active Directory server, select Start > All Programs > Administrative Tools > Event Viewer. Then select Windows Logs > Security.

If you don't see the Mac OS logon event there, the User Agent won't either because that's where it reads to send them off to FirePOWER Management Center. In that case, you would need an alternative identity source like ISE. If you do see the events, it may be a bug and I would open a TAC case for that.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎04-23-2017 03:15 AM

Are the MacOS users authenticating to your domain? They need to be doing that and their login must create an audit event. That's what the agent retrieves from the server using WMI.

0 Helpful

Go to solution
Maher Shaban
Level 1
Level 1
In response to Marvin Rhoads

‎04-23-2017 03:33 AM

Hi Marvin,

yes, they are all authenticating from the domain.

any advise,

Thanks,

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Maher Shaban

‎04-23-2017 07:12 AM

I suspect they may not be generating logon/logoff events in the Windows Security Event log.

On the Active Directory server, select Start > All Programs > Administrative Tools > Event Viewer. Then select Windows Logs > Security.

If you don't see the Mac OS logon event there, the User Agent won't either because that's where it reads to send them off to FirePOWER Management Center. In that case, you would need an alternative identity source like ISE. If you do see the events, it may be a bug and I would open a TAC case for that.

0 Helpful

Go to solution
Maher Shaban
Level 1
Level 1
In response to Marvin Rhoads

‎04-23-2017 07:13 AM

Hi Marvin,

I found out that the logon and logoff requests on AD comes with the computer name, not the username.

thanks for helping.

Cheers,

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Maher Shaban

‎04-23-2017 07:27 AM

You're welcome.

That's good info - thanks for sharing your findings.

I wasn't aware of that behavior for Mac OS clients. I wonder if that can be changed?

Are you at least getting the computer name show up in your FMC for those Macs?

0 Helpful

Go to solution
Maher Shaban
Level 1
Level 1
In response to Marvin Rhoads

‎05-22-2017 02:02 AM

Hi Marvin,

Actually, I found the user accounts events found on SFR user activity.

I don't know what is going on with Mac users exactly?

any advise?

Thanks,

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card