topic Re: Order of preference of source for user and ip mapping in General Topics

Order of preference of source for user and ip mapping

faizankhurshid — Fri, 06 Jul 2018 10:09:34 GMT

Hello All

If same user information is coming from AD and from other source like Cisco ISE syslog messages then which one takes preference in firewall?

Also who can I verify that both sources are sending user/ip mapping? As I always see source AD using command 'show user ip-user-mapping'

Re: Order of preference of source for user and ip mapping

Brandon_Wertz — Fri, 06 Jul 2018 12:49:13 GMT

I don't think there's a "preference" it's "which has most recently occurred."

If there is an initial update for IP address 1.1.1.1 that came from UIA at 0100hrs. Then for whatever reason there was a CP/SSO update for the same IP of 1.1.1.1 at 0101hrs this would replace the UIA. Then another update from ISE/syslog for the same IP at 0110hrs the recent CP entry would be replace.

This is my understanding of how IP mapping works.

Re: Order of preference of source for user and ip mapping

faizankhurshid — Fri, 06 Jul 2018 14:59:45 GMT

@Brandon_Wertz Thanks. It make sense. Also for one user, I am seeing two IP and both source is AD. How is it possible? The user login on domain machine and one entry is showing IP of that machine. He is also login through remote access VPN (integrated with AD) and other entry showing IP is from remote pool. Any explaination of this?

Re: Order of preference of source for user and ip mapping

Brandon_Wertz — Fri, 06 Jul 2018 15:07:24 GMT

You can have 10, 20 (limitless) unique IP to singular user ID mappings. If your agent has it registered then the host machine the user is on, at one point must have authenticated with the second recorded IPs.

I know I've had 6 or 7 unique IPs tied to my user ID. (RDPing into servers / VPN ... and whatnot)

Re: Order of preference of source for user and ip mapping

BPry — Sat, 07 Jul 2018 00:49:26 GMT

@faizankhurshid,

As @Brandon_Wertz already pointed out the number of IP addresses that a user can be mapped to is a limitless number (outside of the platform limits for UID). I often have users who have upwards of 10 IPs tied to their account due to logging into multiple development or software servers at any one time; one of my System Engineers often have 15+ IPs mapped to his username.

Re: Order of preference of source for user and ip mapping

faizankhurshid — Sat, 07 Jul 2018 06:34:40 GMT

@BPry @Brandon_Wertz thanks. So one user can have mulitple IP but one IP can only be tied to one user? Like one single machine, mulitple account cannot be login simultaneously? It will give bind IP of machine to last login user?

Re: Order of preference of source for user and ip mapping

Brandon_Wertz — Mon, 16 Jul 2018 15:31:06 GMT

@faizankhurshid wrote:
@BPry @Brandon_Wertz thanks. So one user can have mulitple IP but one IP can only be tied to one user?

Yes, an IP will only ever be tied to a single user. Everytime the firewall gets an update to a specific user ID being tied to a specific IP that new ID will replace what was previously identified as being associated to the IP address.