Hello - I come with a warning from an issue I just had recently and resolved. Hopefully this will get some visibility and possibly fixed in a later release of the add-on. This was tested with the latest version of this add-on (ver 3.4.0) and in reference to the log entry: %ASA-5-746012: user-identity: Add IP-User mapping IP Address - domain_name \user_name result - reason
If you are using this Add-On - please make a note to check if you have anyone in your org with the string "Deny" (Capital D) as part of their name or e-mail address. This would likely be someone named Denys or similar. As well as part of a last name, likely the leading characters.
ex:
Cisco_ASA_user = LOCAL\Denys.Somelastname@yourdomain.com
Cisco_ASA_user = LOCAL\Bob.Denyan@yourdomain.com
I have found that due to two weak regex entries in the transforms.conf file for the add-on, it will look for a "Deny" string (capital D) in the log entry from your ASAs to populate the [cisco_asa_vendor_action]
and [vendor_action]
fields. This results in a deny vendor action even when the actual result reason shows succeeded; per the logs.
[cisco_asa_vendor_action]
REGEX=([Aa]uthentication [Ss]ucceeded|[Aa]uthorization [Pp]ermitted|authentication Successful|passed authentication|Login permitted|Authentication failed|Authorization denied|Can't find authorization|Authentication Failed|authentication Rejected|credentials rejected|Authentication:Dropping|login warning|login failed|failed authentication|[Cc]onnection denied|Deny inbound|Deny|Terminating|action locally|Unable to Pre-allocate|denied\s[tcp|udp|icmp]+|access denied|access requested|access permitted|limit exceeded|Dropped|Dropping|[B|b]uilt|[pP]ermitted|whitelisted|Pre-allocated|Rebuilt|redirected|discarded)
FORMAT=vendor_action::$1
[cisco_asa_vendor_action_for_performance]
REGEX=([Aa]uthentication [Ss]ucceeded|[Aa]uthorization [Pp]ermitted|authentication Successful|passed authentication|Login permitted|Authentication failed|Authorization denied|Can't find authorization|Authentication Failed|authentication Rejected|credentials rejected|Authentication:Dropping|login warning|login failed|failed authentication|[Cc]onnection denied|Deny inbound|Deny|Terminating|action locally|Unable to Pre-allocate|denied\s[tcp|udp|icmp]+|access denied|access requested|access permitted|limit exceeded|Dropped|Dropping|[B|b]uilt|[pP]ermitted|whitelisted|Pre-allocated|Rebuilt|redirected|discarded)
FORMAT=Cisco_ASA_vendor_action::$1
You can see in the regex that it is looking through OR |
statements to find Deny
.
To resolve this I have found that throwing a \s
after the Deny
in the two stanzas listed above, will process the fields correctly for those people that have the string as part of their name or email. So |Deny\s|
will fix it. The corrected regex is below. Be sure not to make the change under the default folder 😉
REGEX=([Aa]uthentication [Ss]ucceeded|[Aa]uthorization [Pp]ermitted|authentication Successful|passed authentication|Login permitted|Authentication failed|Authorization denied|Can't find authorization|Authentication Failed|authentication Rejected|credentials rejected|Authentication:Dropping|login warning|login failed|failed authentication|[Cc]onnection denied|Deny inbound|Deny\s|Terminating|action locally|Unable to Pre-allocate|denied\s[tcp|udp|icmp]+|access denied|access requested|access permitted|limit exceeded|Dropped|Dropping|[B|b]uilt|[pP]ermitted|whitelisted|Pre-allocated|Rebuilt|redirected|discarded)
Hope this helps!
-Chris
To resolve this I have found that throwing a \s
after the Deny
in the two stanzas listed above, will process the fields correctly for those people that have the string as part of their name or email. So |Deny\s|
will fix it. The corrected regex is below. Be sure not to make the change under the default folder 😉
REGEX=([Aa]uthentication [Ss]ucceeded|[Aa]uthorization [Pp]ermitted|authentication Successful|passed authentication|Login permitted|Authentication failed|Authorization denied|Can't find authorization|Authentication Failed|authentication Rejected|credentials rejected|Authentication:Dropping|login warning|login failed|failed authentication|[Cc]onnection denied|Deny inbound|Deny\s|Terminating|action locally|Unable to Pre-allocate|denied\s[tcp|udp|icmp]+|access denied|access requested|access permitted|limit exceeded|Dropped|Dropping|[B|b]uilt|[pP]ermitted|whitelisted|Pre-allocated|Rebuilt|redirected|discarded)
To resolve this I have found that throwing a \s
after the Deny
in the two stanzas listed above, will process the fields correctly for those people that have the string as part of their name or email. So |Deny\s|
will fix it. The corrected regex is below. Be sure not to make the change under the default folder 😉
REGEX=([Aa]uthentication [Ss]ucceeded|[Aa]uthorization [Pp]ermitted|authentication Successful|passed authentication|Login permitted|Authentication failed|Authorization denied|Can't find authorization|Authentication Failed|authentication Rejected|credentials rejected|Authentication:Dropping|login warning|login failed|failed authentication|[Cc]onnection denied|Deny inbound|Deny\s|Terminating|action locally|Unable to Pre-allocate|denied\s[tcp|udp|icmp]+|access denied|access requested|access permitted|limit exceeded|Dropped|Dropping|[B|b]uilt|[pP]ermitted|whitelisted|Pre-allocated|Rebuilt|redirected|discarded)