01-12-2016 05:19 AM - edited 03-12-2019 05:52 AM
I've seen a few posts that skim around this but I want to get a clear answer. We are trying to figure out two things:
01-13-2016 12:21 AM
(1) No. "Users" are associated with IP addresses.
(2). Not completely sure. 75% yes.
01-13-2016 07:18 AM
1. If you do a captive portal (FirePOWER 6.0) you can require users (terminal server-based or otherwise) to provide their credentials to the FirePOWER module to access web-based resources.
2. You can alternatively create a URL Filtering policy with "networks" (could be individual /32s) as one of the criteria for the policy.
01-18-2016 10:07 AM
The captive portal suggestion is an interesting idea, but the little I've read about it suggests that the purpose wasn't to distinguish users who utilize a single IP (Terminal Server Clients) but rather to supplement the SFUA. [@mrhoads-cco] do you happen to have a link to some literature that supports that? I'd love to read it.
01-18-2016 01:45 PM
Christopher,
I see your point about TS users using a single IP address. that may break tha captive portal assumption that once as user authenticated via the portal that links the IP address with the identity. I'm not sure how the details work - the configuraiton guide is silent on that detail.
http://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/User_Identity_Sources.html#concept_6E7BBA97DD5D4883AA55185B6FEEE9BA
Also, captive portal requires a routed mode IPS whereas most deployments I've seen are inline (transparent).
I was thinking more along the lines of a Citrix VDI infrastructure where the users get desktops with individual unique IP addresses. Fro that use case, we can differentiate access as we do with ISE per the following Guide:
http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Borderless_Networks/Unified_Access/CMWSwC/CMWSwCConfig.html
10-13-2016 09:49 AM
Hello
i am looking for TS agent on version 6.1
http://www.cisco.com/c/en/us/td/docs/security/firepower/610/configuration/guide/fpmc-config-guide-v61/User_Identity_Sources.html#task_70A1D11CEE7E4F7F84CF90777F8E195F__step_CC061C4B3251440EBF5DD66D471889FC
says : ... see the Cisco Terminal Services (TS) Agent Guide => which i cannot find anywhere
i have also found that : The TS Agent feature (VDI Identity Support) is available in a limited availability program adjacent to Version 6.1.
Does anyone managed to find some docs and ressources ?
Thanks
Guillaume
10-13-2016 09:52 AM
[@guillaume.barberot] ,
The supporting documentation for the limited availability is only available to the customers participating in the program.
Once it is opened up (hopefully with 6.2 in the next month or so), it will be made publicly available.
10-13-2016 10:40 PM
Hello Team,
It is in limited availability.
You have to contact the accounts team who should be able to help them out.
If your are interested in being beta customers,you have to contact the Accounts team.
Rate and mark if the post helps you.
Regards
Jetsy
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide