07-06-2018 03:09 AM
Hello All
If same user information is coming from AD and from other source like Cisco ISE syslog messages then which one takes preference in firewall?
Also who can I verify that both sources are sending user/ip mapping? As I always see source AD using command 'show user ip-user-mapping'
07-06-2018 08:06 AM - edited 07-06-2018 08:07 AM
You can have 10, 20 (limitless) unique IP to singular user ID mappings. If your agent has it registered then the host machine the user is on, at one point must have authenticated with the second recorded IPs.
I know I've had 6 or 7 unique IPs tied to my user ID. (RDPing into servers / VPN ... and whatnot)
07-06-2018 05:49 AM
I don't think there's a "preference" it's "which has most recently occurred."
If there is an initial update for IP address 1.1.1.1 that came from UIA at 0100hrs. Then for whatever reason there was a CP/SSO update for the same IP of 1.1.1.1 at 0101hrs this would replace the UIA. Then another update from ISE/syslog for the same IP at 0110hrs the recent CP entry would be replace.
This is my understanding of how IP mapping works.
07-06-2018 07:59 AM
@Brandon_Wertz Thanks. It make sense. Also for one user, I am seeing two IP and both source is AD. How is it possible? The user login on domain machine and one entry is showing IP of that machine. He is also login through remote access VPN (integrated with AD) and other entry showing IP is from remote pool. Any explaination of this?
07-06-2018 08:06 AM - edited 07-06-2018 08:07 AM
You can have 10, 20 (limitless) unique IP to singular user ID mappings. If your agent has it registered then the host machine the user is on, at one point must have authenticated with the second recorded IPs.
I know I've had 6 or 7 unique IPs tied to my user ID. (RDPing into servers / VPN ... and whatnot)
07-06-2018 05:49 PM
As @Brandon_Wertz already pointed out the number of IP addresses that a user can be mapped to is a limitless number (outside of the platform limits for UID). I often have users who have upwards of 10 IPs tied to their account due to logging into multiple development or software servers at any one time; one of my System Engineers often have 15+ IPs mapped to his username.
07-06-2018 11:34 PM
@BPry @Brandon_Wertz thanks. So one user can have mulitple IP but one IP can only be tied to one user? Like one single machine, mulitple account cannot be login simultaneously? It will give bind IP of machine to last login user?
07-16-2018 08:31 AM
@faizankhurshid wrote:@BPry @Brandon_Wertz thanks. So one user can have mulitple IP but one IP can only be tied to one user?
Yes, an IP will only ever be tied to a single user. Everytime the firewall gets an update to a specific user ID being tied to a specific IP that new ID will replace what was previously identified as being associated to the IP address.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
