Lab Minutes Forum

Technical Discussion => Security => Topic started by: robin on March 31, 2016, 08:09:37 AM

Title: Firepower User Agent Problem
Post by: robin on March 31, 2016, 08:09:37 AM: Hi MC,

I tried to build the Mapping between AD(win2k) to FMC(ver 6.0.1), so I used the User Agent(ver 2.3(10)), I got the successful Infos from User Agent(Attachment). and i could download the groups and users from Realms. But I got nothing in Analysis-->Users--> Users or User Activity...

Could you give me any ideas to find what is wrong?

Thanks
Title: Re: Firepower User Agent Problem
Post by: MC on March 31, 2016, 08:45:58 PM: Did you add User Agent as Identity Source and enable user discovery under Discovery?
Title: Re: Firepower User Agent Problem
Post by: robin on April 01, 2016, 12:37:32 AM: Yes, I have already done with those two.
I did the tcpdump too, and I got the Infos(Attachment).
Title: Re: Firepower User Agent Problem
Post by: Pacerfan9 on April 03, 2016, 10:29:25 AM: Under Table View of Connection Events is it saying “No Authentication Required?”

I am not sure why it is necessary but removing the source filter from my identity policy resolved the issue.

See https://supportforums.cisco.com/discussion/12743236/firepower-60-initiator-user-showing-no-authenticaton-required for more info.
Title: Re: Firepower User Agent Problem
Post by: robin on April 04, 2016, 01:02:57 AM: Hi Pacerfan9,

Thanks for the infos. My Problem is not “No Authentication Required”, it is "Unknow". Now I found the solusions, it need to set Logon/logoff success in Windows Server.
Title: Re: Firepower User Agent Problem
Post by: MC on April 04, 2016, 08:42:33 PM: That was the next thing I was gonna ask if you allowed the agent AD account to have access to Windows logon accounting and if you have Windows logon/off accounting turned on. Glad it is working for you now. :)
Title: Re: Firepower User Agent Problem
Post by: MC on April 04, 2016, 08:47:45 PM: You are not allowed to view links. Register or Login
Under Table View of Connection Events is it saying “No Authentication Required?”

I am not sure why it is necessary but removing the source filter from my identity policy resolved the issue.

See https://supportforums.cisco.com/discussion/12743236/firepower-60-initiator-user-showing-no-authenticaton-required for more info.

Hi Pacerfan9, this actually might be a solution to my other problem I am dealing with, although in my case user shows up as unknown regardless of the user is already mapped in the User table. I believe we might have Source IP specified under Identity Policy. Will try to remove it and see what happen. Definitely sounds like a bug.
Title: Re: Firepower User Agent Problem
Post by: Mikep on April 25, 2016, 05:58:35 PM: Do you have a an Identity policy created and assigned to your access policy?
Title: Re: Firepower User Agent Problem
Post by: MC on April 25, 2016, 09:41:01 PM: You are not allowed to view links. Register or Login
Do you have a an Identity policy created and assigned to your access policy?
Yes.. The majority of users work but there are a few that still show as unknown even though we know it should have matched the Identity policy.