topic Re: FTD - AnyConnect Local User migration from ASA. in Network Security

FTD - AnyConnect Local User migration from ASA.

darrenj — Tue, 25 Mar 2025 04:42:56 GMT

Hey all, I'm migrating from an ASA to FTD (managed by FMC). In the current ASA deployment, we have lots of VPN users that connect to a single tunnel-group and authenticate using local user credentials configured on the ASA.

Now for the magic....based on the username that logs in, the ASA will assign a group-policy (contains stuff like IP pool to use, split-tunneling, etc) and a VPN filter (which restricts access to specific resources). This works great and gives me complete flexibility. Example user;

username darrentest password <password> encrypted
username darrentest attributes
vpn-group-policy GP_TEST
vpn-filter value ACL_TEST

Now I try and set up the same thing in v7.4 of FMC and its a big fail. When I create a username/password there is no option to configure attributes like group-policy, VPN filter, etc.

Spoiler Alert! I know this can be achieved with AAA servers (RADIUS attributes) but I don't have this and I simply want to migrate my existing solution.

Has anyone come across this before and is my understanding of this big limitation correct? I can't even see it working with FlexConfigs 😞

Thanks

Darren

Re: FTD - AnyConnect Local User migration from ASA.

Marvin Rhoads — Tue, 25 Mar 2025 05:23:02 GMT

You can use dynamic access policy with condition being username. It can then assign a VPN filter or static IP (but not a group policy AFAIK).

Re: FTD - AnyConnect Local User migration from ASA.

darrenj — Tue, 25 Mar 2025 05:51:13 GMT

Hey Marvin, thanks for this idea (its been a while since I used DAPs!).

I looked into it, I could set a user message, network ACL and "custom attribute" in a DAP. The network ACL ticks my first requirement, but the custom attribute only appears to support 3 other attributes with no option to set the address pool or group policy on a per user basis 😞

So, I'm back into a position of looking for an option without using a AAA server or some other external server (before someone mentions that as a solution).

Darren

Re: FTD - AnyConnect Local User migration from ASA.

Marvin Rhoads — Tue, 25 Mar 2025 13:39:16 GMT

You're right. I though I recalled being able to assign a static IP in there but I just checked on my side and it's not an option.

Unfortunately you may have to use the option that you mentioned not wanting. There are some free ones that will serve, but it does require setting up an external server.

Re: FTD - AnyConnect Local User migration from ASA.

darrenj — Wed, 26 Mar 2025 01:22:35 GMT

Thanks for checking my sanity your side too mate. It is quite lame I must say, its been close to 10 years now and still so much functionality has been lost in the move from ASA to FTD/Firepower. I've worked on Cisco firewalls for about 20 years now (back to PIXs!) and its not surprising to see them lose so much ground in the firewall space when you compare them to other vendors. Ah well.....