The User Agent Identity Source
The Cisco Firepower User Agent is a passive authentication method; it is an authoritative identity source, meaning user information is supplied by a trusted Active Directory server. When integrated with the Firepower System, the user agent monitors users when they log in and out of hosts with Active Directory credentials. The data gained from the User Agent can be used for user awareness and user control.
The user agent associates each user with an IP address, which allows access control rules with user conditions to trigger. You can use one user agent to monitor user activity on up to five Active Directory servers and send encrypted data to up to five Firepower Management Centers.
The User Agent does not report failed login attempts.
End of FMC Support for User Agent
End of support is planned for FMC integration with the Cisco Firepower User Agent (hereafter referred to as user agent) in a future release.
We strongly recommend you stop using the user agent and switch to using ISE/ISE-PIC as soon as possible.
You'll benefit from the following features, which are not available in the user agent:
-
Support for Microsoft Active Directory up to version 2016
-
Gathers authentication data from up to 10 Microsoft Active Directory domain controllers
-
Gathers Active Directory authentication data from switches supporting Kerberos SPAN
-
Supports passive/active redundancy
-
You can upgrade from the ISE-PIC to ISE, adding the Passive Identity Connector node to an existing Cisco ISE cluster.
-
Supports KVM, VMware, and Hyper-V
-
Tailored to fit your organization with support for 3,000 and 300,000 sessions, depending on licensing
You are eligible for a free ISE-PIC license if you have a current support contract for any of the following:
-
Any FMC hardware model
-
Virtual FMC v25
-
Virtual FMC v300
For the preceding models, request part number L-FMC-ISE-PIC= .
Note |
If you have FMCv2 and FMCv10, you must use the standard ISE-PIC part numbers. |