topic Re: group-lock on Firepower in Network Security

group-lock on Firepower

nickliako — Wed, 18 Nov 2020 21:16:22 GMT

Hello,

I have multiple group policies for AnyConnect and on some of the I would like my users not to be able to choose a connection profile, much like the same way this is accomplished with the group-lock attribute in ESA.

Unfortunately, I cannot see something similar in FMC which manages my Firepower appliances.

Keep in mind that group policies are mapped to AD Groups (LDAP Mapping).

Can this be accomplished somehow without the use of an external Radius Server (ISE etc) ?

Thanks

Re: group-lock on Firepower

cmarin — Wed, 20 Mar 2024 16:23:08 GMT

I have exactly the same issue now.

The anyconnect users are able to watch all the aliasses available and the FMC/FTD is not able to limit like the ASA did woth the group-lock value

is it necessary to do it on the ISE only?

Re: group-lock on Firepower

tvotna — Wed, 20 Mar 2024 17:18:38 GMT

It depends on how you do authentication and authorization. E.g. you can use AD/LDAP and assign group-policy directly to each user by mapping some LDAP attribute to group-policy name. For example, this article maps memberOf to group-policy, but you can use other attributes from LDAP schema too:
https://www.cisco.com/c/en/us/support/docs/network-management/remote-access/216313-configure-ra-vpn-using-ldap-authenticati.html

In this case you can have single tunnel-group (connection profile) and don't need group-lock feature.

Or you can map some other LDAP attribute to Tunnel-Group-Lock value (https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/740/management-center-device-config-74/vpn-remote-access.html).

Or you can achieve the same with RADIUS.

Re: group-lock on Firepower

tvotna — Wed, 20 Mar 2024 17:21:15 GMT

For LOCAL authentication this feature hasn't been implemented:

CSCvz10754 ENH: RAVPN(FMC): Option to add attributes for Local user