View Cart
0 Items | Total: US$0.00
Welcome,      Register

You are here

SEC0165 - ASA FirePower Network Discovery (User with AD User Agent) (Part 2)

Average: 5 (5 votes)
Difficulty Level: 
Lab Document: 
<Please login to see the content>
Video Download: 
Title: SEC0165 - Video Download $8.00
Purchase SEC0165 - Video Download $8.00
The video demonstrates how you can leverage user identity information within Cisco ASA FirePower and FireSight System as part of User Network Discovery. We will utilize AD User Agent to obtain user-to-IP mapping, and integrate to Active Directory to obtain user and group information. This information can be used to tie user identity to network traffic as well as including them in Access Control rules for access enforcement
Part 2 of this videos goes through AD integration to obtain user and group information, and perform functionality testing
  • Network Discovery with User
  • AD User Agent Install
  • LDAP/AD Integration
  • Discovery Policy
  • User-to-IP Mapping
  • User Profile

About Author

Metha Cheiwanichakorn, CCIE#23585 (RS, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at, Metha enjoys learning and challenges himself with new Cisco technologies.


The labs you have provided are excellent! If a user logs into the network using a wired connection and switches to wireless is there a way to map their new ip address to username?

You don't really have control over that. It depends on whether Windows causes a login event to happen for the FP agent to detect. The chances are it will not as users remain logged into Windows during the wired to wireless roaming process.

I think if you are using 802.1x authentication with that same AD server, it could see the wireless lan adapter authenticate when you connect to the wifi network, and thus it would immediately map the user to the new IP. You think that might work?

You are correct. It is possible now but only with FP 6.0 and pxGrid integration. User Agent alone would not be possible.

My question is regarding how Virtual Defense Center getting user activity when traffic has not passed firewall for example in your lab when user first login to the windows machine how system has User Activity in the log?

SourceFire user agent captured the user login activity on AD and report them to FireSight.. This is independent of the actual user traffic passing through FP.

Are there any problem with the videos?
I can´t see anymore.


We had some technical issue. Should be back to normal now.

Dear Sir,
Is there any possibility to to install multiple user agents pointing to common domain controller work as High Availability.