Cisco Bug: CSCvs64242 - ENH: Identify Which Realm to Use by Method Other Than Source IP Address
Apr 14, 2020
- Cisco Firepower Management Center
Known Affected Releases
Symptom: In the described situation, "Unknown" users are seen in the Initiator User column of connection events. Need a better way to assign correct realm. Customer has two realms called HOME and COUNTY. Each realm uses a subdomain (i.e. HOME uses "home.domain.com" and COUNTY uses "county.domain.com"). In AD (with identity provided by ISE), users are organized into these two subdomains based on their primary work address (i.e. the 10.x.x.x network is the HOME network and the 192.168.x.x network is the COUNTY network). Two rules are in the Identity policy, one for each realm, that matches traffic based on source IP address (i.e. 10.x.x.x or 192.168.x.x). When home users log in to their home workstations, they are correctly identified. When county users log in to their county workstations, they are correctly identified. A problem exists only when the HOME users log into the COUNTY workstations (i.e. when user is traveling); the incorrect rule is matched in the Identity policy so the incorrect realm is assigned, causing the username to not be seen in the subsequent connection events. Note that the username of these users is seen in their FMC host profile (clicking the source IP address of the connection shows the host profile). Running the user query in the sensor for home users who have logged into the country workstation shows the username is present there too. So Firepower does know their username, but the Identity policy is not putting it into the Initiator User column of the connection event. It's as if the logic says: "I have a 192 address, do I have a COUNTY realm user that matches that device? No? Then Unknown user." Conditions: ISE passive ID, and host profile show user associated with IP, however in connection events, initiator user is showing as Unknown, causing user to not get special access from Access Control policy.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases