Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1958
Views
0
Helpful
5
Replies

FMC AD users passive auth works selectively.

Ivan Rezvantsev
Level 1
Level 1

‎05-11-2017 08:44 AM - edited ‎03-12-2019 02:20 AM

Good day.

We have SFR module ver 6.1 on ASA 5516-X connected to FMC 6.1. License: Protection+Control+URL+Malware. Firepower User Agent v. 2.3.

User access policy uses passive authentication. All users use Win10 domain connected PCs with domain accounts.

90% users works well. FUA translates security logs from AD servers to FMC and users gain access based on user names/groups. But 10% of users is Unknown and respectively gain default access. I check events-Connections: ip address which user uses has initiated user Unknown. Users Activity do not show these user, but I know exactly this user reboot his PC and logged in 5 mins ago.

FMC shows no errors. FUA shows no errors. What i must do next to troubleshoot this issue? I tried to check AD Security logs, but I'm not Win admin and the log is huge, which Events IDs exactly FUA donwload?

1 person had this problem
Labels:
Preview file
78 KB
0 Helpful
5 Replies 5

Ajay Saini
Level 7
Level 7

‎05-11-2017 09:08 AM

Hello,

Could you please confirm if you have installed and using Firepower user agent:

http://www.cisco.com/c/en/us/td/docs/security/firesight/user-agent/23/config-guide/Firepower-User-Agent-Configuration-Guide-v2-3/Intro.html

http://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/200329-Configure-Active-Directory-Integration-w.html#anc21

For realtime, user-to-ip mapping, user agent is required.

HTH

-AJ

0 Helpful

Ivan Rezvantsev
Level 1
Level 1
In response to Ajay Saini

‎05-11-2017 09:54 AM

Yes, FUA is installed and working well in 90% of the users. But 10% of them is not appearing in FMC User Activity log and shown as Unknown in Connection Events tab.

Preview file
38 KB
Preview file
139 KB
0 Helpful

Rahul Govindan
VIP Alumni
VIP Alumni

‎05-11-2017 10:13 AM

There was a known issue in the initial 6.1 release that caused performance issues with user to ip mappings. Should be fixed in 6.1.0.2 or 6.2.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvb63664/?referring_site=bugquickviewredir

You had mentioned 6.1 release, so you might be affected.

An additional point to note is that when dealing with child domains, FMC has issues if it cannot read beyond the primary domain (usually a permissions issue). What could happen is that child domain users would end up showing "Unknown". You would have to check to see if the FMC is able to see all users in the LDAP users and Groups download. 

0 Helpful

Ivan Rezvantsev
Level 1
Level 1
In response to Rahul Govindan

‎05-11-2017 02:52 PM

How I can check full list of users downloaded by FMC? 

What do you mean in child domains? We have only one AD domain.

Just run update from FMC, it download and begin to install ver. 6.1.0.3-57

0 Helpful

ralf_kaminski
Level 1
Level 1
In response to Ivan Rezvantsev

‎12-14-2017 04:16 PM

Is the matching IP -> AD users works only with the FMC or it is possible to have it in logs without virtual appliance like in ordinary PaloAlto setup for example ??

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card