Troubleshooting Issues with User Access Control Rules
If you notice unexpected user access control rule behavior, consider tuning your rule, identity source, or realm configurations.
Access control rules targeting realms, users, or user groups are not firing
If you configure a User Agent or ISE/ISE-PIC device to monitor a large number of user groups, or if you have a very large number of users mapped to hosts on your network, the system may drop user records due to your Firepower Management Center user limit. As a result, access control rules with realm or user conditions may not fire as expected.
Access control rules targeting user groups or users within user groups are not firing as expected
If you configure an access control rule with a user group condition, your LDAP or Active Directory server must have user groups configured. The Firepower Management Center cannot perform user group control if the server organizes the users in basic object hierarchy.
Access control rules targeting users in secondary groups are not firing as expected
If you configure an access control rule with a user group condition that includes or excludes users who are members of a secondary group on your Active Directory server, your server may be limiting the number of users it reports.
By default, Active Directory servers limit the number of users they report from secondary groups. You must customize this limit so that all of the users in your secondary groups are reported to the Firepower Management Center and eligible for use in access control rules with user conditions.
Access control rules are not matching users when seen for the first time
After the system detects activity from a previously-unseen user, the system retrieves information from the server. Until the system successfully retrieves this information, activity seen by this user is not handled by matching access control rules. Instead, the user session is handled by the next access control rule it matches (or the access control policy default action).
For example, this may explain when:
Users who are members of user groups are not matching access control rules with user group conditions.
Users who were reported by ISE/ISE-PIC or the User Agent are not matching access control rules, when the server used for user data retrieval is an Active Directory server.
Note that this may also cause the system to delay the display of user data in event views and analysis tools.