Cisco Firepower User Agent for Active Directory Unable to Read Security Logs
Introduction to the User Amanuensis
Version 2.3 of the user agent works in conjunction with Firepower Organization managed devices to gather user data. If y'all are using the amanuensis with Version five.x or Version vi.x of the Firepower System, the user agent is also essential to implementing user access control.
A user agent monitors up to v Microsoft Active Directory servers and reports logins and logoffs authenticated by Agile Directory. The Firepower System integrates these records with the information it collects using traffic-based detection on managed devices.
User Agent End of Support
You must migrate to the Cisco Identity Services Engine/Passive Identity Connector (ISE/ISE-Flick) before you upgrade to FMC version 6.7.
For more information, encounter End of FMC Support for the User Agent.
Release-Specific Terminology
Come across the following table for information about release-specific terminology and feature back up related to user agents:
| | | |
|---|---|---|
| The organisation | FireSIGHT System | Firepower Organization |
| The features devoted to user discovery | Network Discovery | Network discovery and identity |
| The analysis of user identity and user activity information | User awareness | User awareness |
| The apply of user identity and user activity data for user control | Access control | Access control |
| The managing appliance | Defence force Eye | Direction Center |
| The managed appliance | Managed device | Managed device |
| The server-database connection | User awareness object | Realm |
About the User Agent
This section discusses the function of the user agent in implementing user discovery on the Firepower System. For a more detailed discussion of all concepts related to user discovery, RNA/network discovery, and identity sources, see the configuration guide for your arrangement.
For more information, run across the post-obit sections:
- User Agent Fundamentals
- Deploy Multiple User Agents
- Legacy Amanuensis Support
- Virtually the User Agent and Access Control in Version 5.x
- Nigh the User Agent, ISE, and Access Control in Version six.x
User Agent Fundamentals
The Firepower System can obtain both user identity and user action data from your organization'south Agile Directory servers. The user agent enables you to monitor users when users authenticate with Microsoft Active Directory servers.
Note 
To perform user command, your organization must use Microsoft Active Directory. The Firepower Organisation uses user agents that monitor Active Directory servers to associate users with IP addresses, which is what allows access control rules to trigger.
Installing and using the user amanuensis enables you to perform user control; the agent assembly a user proper noun with 1 or more IP addresses, and this data tin trigger access command rules with user weather condition.
A complete user amanuensis configuration for user control includes the following:
- A computer with the agent installed.
- A connectedness between a Management Center and the user agent computer.
- A connection betwixt each Management Center to the monitored Active Directory servers. In Version five.x, configure them as user awareness objects. In Version six.x, configure them as identity realms.
For more information most user control, meet the configuration guide for your system.
You tin install the user agent on any Microsoft Windows Vista, Microsoft Windows 7, Microsoft Windows 8, Microsoft Windows Server 2008, or Microsoft Windows Server 2012 computer with TCP/IP access to the Microsoft Agile Directory servers to monitor. Y'all can also install the agent on an Active Directory server running ane of the supported operating systems; however, doing so is less secure.
Note If you lot install the user agent on Windows Server 2003 or an older operating arrangement, the user agent cannot collect real time statistics from an Agile Directory figurer.
The Management Middle connexion not only enables you to retrieve metadata for the users whose logins and logoffs were detected by user agents, simply also is used to specify the users and groups you desire to use in access control rules. If the agent is configured to exclude specific user names, login information for those user names are non reported to the Management Heart.
Agent Monitoring, Polling, and Reporting
Each user agent can monitor authoritative logins using encrypted traffic past either regularly scheduled polling or real time monitoring.
The following are amongst the events the user agent reports to the Management Center:
- User Login : A user logs in to a estimator with an IP address non associated with the user name the last fourth dimension the user was seen.
In other words, suppose user proper name james.harvey logs in to IP address 192.0.2.100 on Monday. On Tuesday, james.harvey logs in to IP accost 192.0.2.105. This login triggers a User Login result in the Management Centre.
User Login events occur whether the user logs in directly to a workstation or uses Remote Desktop.
- User Logoff : Occurs when a user logs out of an IP address. User Logoff events are reported to the management center at a configurable interval, not immediately later on a user logs off of a reckoner.
- New User Identity : One-time outcome that occurs the first time a user proper name is associated with an IP address.
- Delete User Identity : Occurs after a Management Center administrator deletes a user identity.
Combining logoff data with login data develops a more complete view of the users logged into the network.
Polling an Agile Directory server enables an amanuensis to recollect batches of user action information at the divers polling interval. Real time monitoring transmits user action data to the agent as shortly as the Active Directory server receives the data.
You lot tin can configure the amanuensis to exclude reporting any logins or logoffs associated with a specific username or IP accost. This can be useful, for example, to exclude repeated logins to the following:
- Shared servers, such as file shares and print servers
- The user agent calculator
- The Agile Directory server
- Logins into computers for troubleshooting purposes
You can configure an agent to monitor upward to five Active Directory servers and to send encrypted data on to as many as five Management Centers.
If y'all are using Version 5.x or Version 6.x to perform access control, the logins reported past user agents associate users with IP addresses, which in plow allows access control rules with user conditions to trigger.
Note If multiple users are logged into a host using remote sessions, the agent might not discover logins from that host properly. Run across Enable Idle Session Timeouts for more data on how to prevent this.
| | |
|---|---|
| Login detection | The agent reports user logins to hosts with IPv6 addresses to Defense Centers running Version 5.2+. The agent reports non authoritative user logins and NetBIOS logins to Defense Centers running Version 5.0.one+. To find logins to an Active Directory server, you lot must configure the Active Directory server connexion with the server IP address. Run across Configure User Agent Active Directory Server Connections for more information. |
| Logoff detection | The agent reports detected logoffs to Version 5.2+ Defense Centers. Logoffs might not be immediately detected. The timestamp associated with a logoff is the time the amanuensis detected the user was no longer mapped to the host IP address, which might not correspond with the time the user logged off of the host. |
| Real Time information retrieval | The Active Directory server must run Windows Server 2008 or Windows Server 2012. The user agent computer must run Windows vii, Windows eight, Windows 10, or a Windows Server version more contempo than Server 2003. |
User Agent Login Information
The user agent monitors users as they log in to the network or when accounts authenticate against Active Directory credentials for other reasons. The user agent detects interactive user logins to a host, Remote Desktop logins, file-share authentication, and computer business relationship logins.
User agents study authoritative user logins. Authoritative login data (for example, a remote desktop login or an interactive login to a host past a user) causes the current user mapped to the host IP accost to modify to the user from the new login.
Network discovery traffic-based detection reports non authoritative user logins. Not-authoritative logins either do non change the current user or change the electric current user simply if the user was likewise non-authoritative.
Note, however, the following caveats:
- If the agent detects a login for file-share authentication, the agent reports a user login for the host, but does not change the electric current user on the host.
- If the amanuensis detects a computer account login to a host, the agent generates a NetBIOS Name Alter discovery consequence and the host contour reflects any change to the NetBIOS name.
- If the agent detects a login from an excluded user name, the agent does not written report a login to the Management Center.
For all logins, the agent sends the following information to the Direction Eye:
- The user'south LDAP user name
Annotation The Management Center might not correctly display user names with Unicode characters.
- The time of the login or other hallmark
- The IP address of the user'due south host, and the link-local address if the agent reports an IPv6 address for a reckoner account login
Annotation If a user uses a Linux calculator to log in using Remote Desktop to a Windows reckoner, after the agent detects the login, information technology reports the Windows figurer's IP address, not the Linux computer'southward IP address, to the Management Heart.
The Direction Center records login and logoff information in the user activity database and user information in the user database. When a user agent reports user information from a user login or logoff, the reported user is checked against the list of users in the users database. If the reported user matches an existing user reported by an agent, the reported data is assigned to the user. Reported users that do not match existing users crusade a new user to exist created.
Fifty-fifty though the user activity associated with an excluded user proper noun is not reported, related user activity might all the same exist reported. If the agent detects a user login to a calculator, and so the agent detects a 2nd user login, and y'all have excluded the user name associated with the second user login from reporting, the agent reports a logoff for the original user. However, no login for the second user is reported. Equally a result, no user is mapped to the IP address, fifty-fifty though the excluded user is logged into the host.
Note the post-obit limitations on user names detected by the agent:
- User names catastrophe with a dollar sign character (
$) reported to a Version five.0.two+ Defence force Center update the network map, merely do non appear as user logins. Agents do not report user names ending with a dollar sign character ($) to whatever other versions of Management Centers. - Direction Center brandish of user names containing Unicode characters might accept limitations.
The total number of detected users the Direction Middle can shop depends on the following:
- In Version 5.x, your RNA or FireSIGHT license
- In Version half-dozen.ten, your Direction Center model
After you lot accomplish the user limit, in most cases the organisation stops adding new users to the database. To add together new users, yous must either manually delete quondam or inactive users from the database, or delete all users from the database.
Deploy Multiple User Agents
If you have more than than ane Active Directory server per domain, you tin can consider installing more than one user agent. Active Directory servers share hallmark information only not their security logs, which is where the user amanuensis gathers some of its information.
Therefore, if in that location is more than one Active Directory server in your domain, you can either:
- Install one user agent that communicates with more than one Agile Directory server.
One user amanuensis can communicate with up to v Active Directory servers.
- Install more than one user agent, each of which communicates with a different Agile Directory server or domain controller.
Nosotros recommend this type of deployment in the following circumstances:
– Active Directory servers are geographically dispersed; we recommend installing user agents on computers that are geographically proximate to the Active Directory server (or on the Active Directory server estimator itself, although this is less secure).
– Active Directory servers are heavily loaded with traffic.
Note You must configure each user agent to communicate with the fully qualified hostname or IP address of the domain controller. In a multi-domain arrangement, it'southward mutual for each domain controller to have a different IP address or hostname.
Legacy Agent Support
Version 1.0 (legacy) user agents installed on Agile Directory servers can continue to send user login data from the Agile Directory server to a unmarried Management Center. Deployment requirements and detection capabilities of legacy agents are unchanged.
You must install legacy agents on the Active Directory server to connect to exactly i Management Center. Note, nonetheless, that the User Agent Status Monitor health module does not support legacy agents and should not be enabled on Direction Centers with legacy agents connected.
You should plan to upgrade your deployment to use Version ii.three of the user agent equally soon as possible in preparation for future releases when support for legacy agents will be phased out.
Well-nigh the User Agent and Admission Command in Version five.x
License: Control
If your organization uses Microsoft Active Directory servers, we recommend that you install the user amanuensis to monitor user activity using your Active Directory servers. To perform user command in Version 5.10, you must install user agents and configure a connection to your Defence Heart.
Nearly the User Amanuensis, ISE, and Access Control in Version 6.x
Classic License: Control
Smart License: Any
Version 6.0 introduced back up for the Cisco Identity Services Engine (ISE), an alternative to the user agent. The user agent and ISE are passive identity sources that gather data for user access control. To perform user command in Version 6.x, you lot must configure an identity realm for your monitored Active Directory servers on the Management Center connected to the agent or ISE device. For more information well-nigh realms, identity sources, and ISE/ISE-Film, see the configuration guide for your organisation.
Cease of FMC Back up for the User Amanuensis
Firepower Direction Middle version half-dozen.6 is the final version with which you can enable the user agent. The user agent cannot be enabled in Firepower Direction Middle vi.7 and upgrades to 6.7 will warn you to disable the user agent before upgrading.
Nosotros strongly recommend you stop using the user agent and switch to using the Cisco Identity Services Engine/Passive Identity Connector (ISE/ISE-Film) every bit soon as possible.
You'll benefit from the following features, which are not available in the user agent:
- Support for Microsoft Active Directory upward to version 2016
- Gathers hallmark data from upward to 10 Microsoft Agile Directory domain controllers
- Gathers Active Directory authentication data from switches supporting Kerberos Bridge
- Supports passive/active redundancy
- You can upgrade from the ISE-PIC to ISE, adding the Passive Identity Connector node to an existing Cisco ISE cluster.
- Supports KVM, Vmware, and Hyper-V
- Tailored to fit your organization with support for 3,000 and 300,000 sessions, depending on licensing
You are eligible for a gratis ISE-PIC license if you have a current support contract for whatever of the following:
- Whatever FMC hardware model
- Virtual FMC v25
- Virtual FMC v300
For the preceding models, request function number Fifty-FMC-ISE-PIC=.
If yous have FMCv2 and FMCv10, you must utilize the standard ISE-PIC function numbers.
For more information, see End-of-Life and Terminate-of-Back up for the Cisco Firepower User Agent.
Source: https://jerome.pro:8443/c/en/us/td/docs/security/firesight/user-agent/23/config-guide/Firepower-User-Agent-Configuration-Guide-v2-3/Intro.html
0 Response to "Cisco Firepower User Agent for Active Directory Unable to Read Security Logs"
Post a Comment