https://community.cisco.com/t5/network-security/ravpn-choose-group-policy-based-on-ad-group-membership/m-p/3707807#M1014316 <P>Hi all,</P> <P>&nbsp;</P> <P>I'm replacing a customer's ASAs with FTDs and I've hit a couple of snags.</P> <P>&nbsp;</P> <P>The customer is currently using clientless SSL VPN for contractors to access a small subset of internal services.</P> <P>&nbsp;</P> <P>Contractors authenticate their SSL VPN session to the ASA local user database whereas normal employees authenticate to active directory. Each user group has a&nbsp;separate group policy and alias.</P> <P>&nbsp;</P> <P>FTDs do not support local users or clientless VPN so I&nbsp;have to use AnyConnect for the contractors and somehow assign different access policies depending on their AD group membership. I could be wrong, but I don't think FTD supports this natively?</P> <P>&nbsp;</P> <P>I don't think the Firepower User Agent will achieve what I need either.</P> <P>&nbsp;</P> <P>So I'm thinking the only solution is to use a RADIUS server like ISE or ACS or something and use that to send down an AV pair to the FTD to influence the chosen group policy.</P> <P>&nbsp;</P> <P>Any thoughts?</P> <P>&nbsp;</P> <P>Many thanks in advance,</P> <P>Matt.</P> Tue, 12 Mar 2019 13:58:24 GMT matty-boy 2019-03-12T13:58:24Z https://community.cisco.com/t5/network-security/ravpn-choose-group-policy-based-on-ad-group-membership/m-p/3707807#M1014316 <P>Hi all,</P> <P>&nbsp;</P> <P>I'm replacing a customer's ASAs with FTDs and I've hit a couple of snags.</P> <P>&nbsp;</P> <P>The customer is currently using clientless SSL VPN for contractors to access a small subset of internal services.</P> <P>&nbsp;</P> <P>Contractors authenticate their SSL VPN session to the ASA local user database whereas normal employees authenticate to active directory. Each user group has a&nbsp;separate group policy and alias.</P> <P>&nbsp;</P> <P>FTDs do not support local users or clientless VPN so I&nbsp;have to use AnyConnect for the contractors and somehow assign different access policies depending on their AD group membership. I could be wrong, but I don't think FTD supports this natively?</P> <P>&nbsp;</P> <P>I don't think the Firepower User Agent will achieve what I need either.</P> <P>&nbsp;</P> <P>So I'm thinking the only solution is to use a RADIUS server like ISE or ACS or something and use that to send down an AV pair to the FTD to influence the chosen group policy.</P> <P>&nbsp;</P> <P>Any thoughts?</P> <P>&nbsp;</P> <P>Many thanks in advance,</P> <P>Matt.</P> Tue, 12 Mar 2019 13:58:24 GMT https://community.cisco.com/t5/network-security/ravpn-choose-group-policy-based-on-ad-group-membership/m-p/3707807#M1014316 matty-boy 2019-03-12T13:58:24Z https://community.cisco.com/t5/network-security/ravpn-choose-group-policy-based-on-ad-group-membership/m-p/3707818#M1014317 You are correct. To use LDAP group-membership info for group-policy assignment, you need the LDAP attribute map feature. This works on the ASA, but supported not the FTD yet. For FTD, you would have to use Radius server to set the group-policy name via the Radius Class attribute. If you are using AD, the easiest option would be to use the Network Policy Server functionality in the Windows server. The NPS settings would be the same as given in this doc for the ASA: <A href="https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/117641-config-asa-00.html" target="_blank">https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/117641-config-asa-00.html</A> Sun, 16 Sep 2018 21:48:37 GMT https://community.cisco.com/t5/network-security/ravpn-choose-group-policy-based-on-ad-group-membership/m-p/3707818#M1014317 Rahul Govindan 2018-09-16T21:48:37Z https://community.cisco.com/t5/network-security/ravpn-choose-group-policy-based-on-ad-group-membership/m-p/3708339#M1014318 <P>Hi Rahul,</P> <P>&nbsp;</P> <P>Thank you for confirming my suspicions. I got&nbsp;it working with a Cisco ACS server doing the RADIUS duties but I stumbled on another 'funny' though....</P> <P>&nbsp;</P> <P>As long as "Allow Users to select connection profile while logging in" is checked and an Alias exists and is enabled under the connection profile it works fine. But if I disable or delete the alias or I uncheck the&nbsp;"Allow Users to select connection profile while logging in" option, authentication fails? No evidence in the logs of the FTD talking to the ACS server at all. Weird.</P> <P>&nbsp;</P> <P>Cheers!</P> <P>Matt.</P> Mon, 17 Sep 2018 19:59:08 GMT https://community.cisco.com/t5/network-security/ravpn-choose-group-policy-based-on-ad-group-membership/m-p/3708339#M1014318 matty-boy 2018-09-17T19:59:08Z https://community.cisco.com/t5/network-security/ravpn-choose-group-policy-based-on-ad-group-membership/m-p/3708376#M1014319 <P>This could because of the tunnel-group the user ends up connecting to. If you have that option checked, the user sees the option to connect to all the tunnel-groups that have an alias set. IF you do not have this checked, the url "vpn.domain.com", usually takes you directly to the DefaultTunnelGroup. This may be why your authentication is failing.&nbsp;</P> Mon, 17 Sep 2018 20:57:17 GMT https://community.cisco.com/t5/network-security/ravpn-choose-group-policy-based-on-ad-group-membership/m-p/3708376#M1014319 Rahul Govindan 2018-09-17T20:57:17Z https://community.cisco.com/t5/network-security/ravpn-choose-group-policy-based-on-ad-group-membership/m-p/3708408#M1014320 <P>You were right! Again!&nbsp;Adding an alias URL did the trick!</P> <P>&nbsp;</P> <P>Thank you Rahul! <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Mon, 17 Sep 2018 21:36:49 GMT https://community.cisco.com/t5/network-security/ravpn-choose-group-policy-based-on-ad-group-membership/m-p/3708408#M1014320 matty-boy 2018-09-17T21:36:49Z