topic Re: FMC RA VPN policies integration with Azure AD in Network Security

FMC RA VPN policies integration with Azure AD

FilipX — Fri, 16 May 2025 11:23:09 GMT

Hi all,

I have an issue on FMC caused by migration from on-prem MS AD to Azure AD. The problem is with RA VPN access policies using user-based restrictions.

Previously, users authenticated with their on-prem MS AD credentials and gained access to allowed resources based on their identity from the legacy AD Realm configured in the access policies.

The situation after the AD migration is as follows:

I have configured SAML authentication for RA VPN to authenticate users from the MS Azure domain. It works as expected, and users can connect using AnyConnect and providing their credentials via Microsoft.

I have also successfully created an MS Azure Realm in FMC.

I can list the users from Azure Realm and use them in RA VPN access policies, but it does not affect accessing/blocking the resources. It seems that FMC can't connect the user authenticated through SAML while establishing the VPN connection and the user from Azure Realm specified in the access policy, although it is the same user.

Just to mention that implementing Cisco ISE is not an option.

Any ideas are appreciated.

Thanks,
Filip

Re: FMC RA VPN policies integration with Azure AD

ahollifield — Mon, 19 May 2025 13:01:47 GMT

MS AD != Azure AD. Also Azure AD is called Entra ID now.

So what is the user's UPN? Does that match? What is being returned to the firewall from the SAML flow.

ISE is not required here.

Re: FMC RA VPN policies integration with Azure AD

FilipX — Tue, 20 May 2025 13:53:34 GMT

Hi ahollifield,

Thank you for your answer.
In the Remote Access VPN Overview Dashboard in FMC, under active sessions, users are listed with their username, not with the UPN.
Can you please clarify which user's UPN should match—that from SAML with the one from Azure (Entra) Realm?

Thanks,
Filip

Re: FMC RA VPN policies integration with Azure AD

ahollifield — Tue, 20 May 2025 14:41:49 GMT

needs to match whatever is being looked up inside of Entra

Re: FMC RA VPN policies integration with Azure AD

piotr.smietanka — Mon, 18 Aug 2025 14:08:13 GMT

@FilipX

Did you solve the problem?

Re: FMC RA VPN policies integration with Azure AD

MHM Cisco World — Mon, 18 Aug 2025 14:34:04 GMT

Please make new post

MHM

Re: FMC RA VPN policies integration with Azure AD

FilipX — Tue, 19 Aug 2025 14:17:37 GMT

Hi piotr.smietanka,

I opened a TAC case, and after a long analysis by the Cisco engineer, I was pointed to this answer:
"You can enforce an access policy on a SAML-authenticated user if you have an associated identity policy with an AD realm matching the SAML domain. However, it does not work for Azure AD SAML because it requires additional mapping from the tenant ID of the Azure AD to an associated realm ID on the threat defense device."

It is from the following document:
https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/740/management-center-device-config-74/vpn-remote-access.html#reference_pdf_cx3_psb

I hope this issue will be addressed in some future software update.

Filip