Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1664
Views
0
Helpful
9
Replies

users not passing to firepower

systemtek
Level 1
Level 1

‎11-27-2018 02:38 AM - edited ‎03-12-2019 07:07 AM

Hi All,

We are using Configure Cisco Firepower User Agent for Active Directory installed on a domain controller, both sections are green which seems to indicate it should pass the details back to the firepower.

 

I have some rules on the firepower and I have added some users to the rules (it find the users) but as soon as I do this they cant access the specified content.  The rule works if I remove the users.

 

When looking in the logs, there is no reference to the username at all.  

 

As the initial client request contains only the IP I believe that the firepower should then lookup that IP and match the username via the agent on the domain controller.  Is there anyway I can test this ? 

Thanks 

 

 

 

Labels:
0 Helpful
9 Replies 9

Abheesh Kumar
VIP Alumni
VIP Alumni

‎11-27-2018 02:48 AM

Hi,
Create a test rule with the user you want to allow or block as first rule in ACP and try if its working as per the AD-Username. Before testing logoff the machine and login again to get the correct IP details.

HTH
Abheesh
0 Helpful

systemtek
Level 1
Level 1
In response to Abheesh Kumar

‎11-27-2018 03:06 AM

Hi

Thanks for the reply, essentially that is what I have done.  I have the correct IP in the logs, but no usernames appear in the logs.  It just shows as BLOCK in logs but no username details as soon as I remove the username from the rule, it works.

 

Thanks 

0 Helpful

Abheesh Kumar
VIP Alumni
VIP Alumni
In response to systemtek

‎11-27-2018 03:08 AM

click the TABLE VIEW of CONNECTION EVENTS to see the detailed view.

HTH
Abheesh
0 Helpful

systemtek
Level 1
Level 1
In response to Abheesh Kumar

‎11-27-2018 03:10 AM

Hi,

Thanks, but "Initiator User" shows as "Unknown" 

Thanks 

0 Helpful

Abheesh Kumar
VIP Alumni
VIP Alumni
In response to systemtek

‎11-27-2018 03:11 AM - edited ‎11-27-2018 03:12 AM

which version you are running and can you share a screenshot.

0 Helpful

Abheesh Kumar
VIP Alumni
VIP Alumni
In response to Abheesh Kumar

‎11-27-2018 03:25 AM

Hi,
Are you created an identity policy with passive authentication and bind to ACP right..?
For the user details Check Analysis > Users > User Activity.

HTH
Abheesh
0 Helpful

systemtek
Level 1
Level 1
In response to Abheesh Kumar

‎11-27-2018 03:37 AM

Hi

I already checked in Analysis > Users > User Activity and this does not show my test users activity.

Attached image from logs.

Thanks example-firepower-unknown user.JPG

 

0 Helpful

Abheesh Kumar
VIP Alumni
VIP Alumni
In response to systemtek

‎11-27-2018 03:41 AM

Almost same issue reported by other user, please have a look.
https://community.cisco.com/t5/firepower/fmc-6-2-2-unknown-users/m-p/3353429/highlight/true#M1322

HTH
Abheesh
0 Helpful

systemtek
Level 1
Level 1
In response to Abheesh Kumar

‎11-27-2018 04:04 AM

Thanks for that link Abheesh Kumar I will need to spend some time today and tomorrow looking at that, I have found a few other similar posts so will take a look and see what is found.  In the mean time if anyone has any other suggestions  please let me know. 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card