KB ID 0001460
Problem
When attempting to track Users with FirePOWER, the FMC would not show any usernames?
Solution
Theres a lot of reasons this might not work, let’s take a look at a few of them.
Firstly make sure the server running the ‘user agent’ is listed under System >Integration > Identity Sources > User Agent.
It probably goes without saying, but over on server running the user agent, make sure it can see the Domain Controller(s) and the FMC (everything is green).
Make sure your DC’s are setup to audit logon events! (I’ve had to do this in local policy directly on the DC’s before).
Ensure you have setup a ‘Realm’ for you active directory, and it’s enabled. (System > Integration > Realms).
WARNING: In some versions of the FMC there’s a ‘Bug’ that requires you use the NETBIOS name of your domain rather than its full domain name, (as shown in the example on the right).
After you have made the change, ensure you can still download the users and groups. Don’t forget to ‘Save’ the changes, and redeploy the settings.
Make sure you have an ‘Identity Policy‘, and that it’s set to discover users by ‘Passive Authentication‘, and it’s set to use the ‘Realm‘ you created. (Policies > Access Control > Identity).
In your main ‘Access Control Policy‘ > In at least one of the rules, under ‘Users‘, ensure that your ‘Realm‘ is selected and added. (Policies > Access Control).
You also under your ‘Network Discovery‘ policy make sure ‘Users‘ has been added.
Then take a look under Analysis > Users > User Activity. Make sure that logon events are getting logged, and mapped to IP addresses.
Once all the boxes are ‘ticked’, users should start appearing.
Related Articles, References, Credits, or External Links
NA
