https://community.cisco.com/t5/network-security/identity-fw-acl-with-ad-group-not-matching/m-p/2303378#M345767 <HTML><HEAD></HEAD><BODY><P>I've made another test. I've changed the group that matches the ACL and it works.</P><P></P><P>The differences between groups are:</P><P></P><P>- They're located in different OUs, but both are accessible.</P><P>- One has 6 users and the other many more.</P><P></P><P>Is there any kind of restriction on how many users a group can contain so that ASA is able to check it?</P><P></P><P>Other group that does not work is a group (Global_FTP) containing 3 different groups, being one of them that other group (FTP_OfficeXX).</P><P></P><P>Any help will be appreciated.</P><P></P><P>Thanks!!!</P></BODY></HTML> Fri, 02 Aug 2013 08:44:31 GMT Igor Rodriguez 2013-08-02T08:44:31Z https://community.cisco.com/t5/network-security/identity-fw-acl-with-ad-group-not-matching/m-p/2303376#M345764 <P>Hello all,</P><P></P><P>I have set up our Cisco ASA 8.4(4)1 so that it works as an Identity Firewall. Everything is going fine, except the following:</P><P></P><P>I've made an ACL so that only allowed users access a few FTP servers. The thing is that those users belong to an Active Directory group. Using the AD group, the ACL is not being matched and therefore, is not working.</P><P></P><P>However, if I change that AD group and try only my AD user, it does work.</P><P></P><P>I have other ACLs matching AD groups and are working fine.</P><P></P><P>So my question is:</P><P></P><P>&nbsp;&nbsp;&nbsp;&nbsp; Is there any limitation to those AD groups?</P><P></P><P>&nbsp;&nbsp;&nbsp;&nbsp; What can I check to know why my user (that belongs to that AD group) is not being allowed while ACL includes AD group?</P><P></P><P>Any help will be appreciated.</P><P></P><P>Thanks in advance.</P><P></P><P>Best regards,</P><P></P><P>Igor</P> Tue, 12 Mar 2019 02:17:24 GMT https://community.cisco.com/t5/network-security/identity-fw-acl-with-ad-group-not-matching/m-p/2303376#M345764 Igor Rodriguez 2019-03-12T02:17:24Z https://community.cisco.com/t5/network-security/identity-fw-acl-with-ad-group-not-matching/m-p/2303377#M345765 <HTML><HEAD></HEAD><BODY><P>Any idea of how could I try to solve this?</P><P></P><P>Thanks.</P></BODY></HTML> Mon, 29 Jul 2013 08:09:54 GMT https://community.cisco.com/t5/network-security/identity-fw-acl-with-ad-group-not-matching/m-p/2303377#M345765 Igor Rodriguez 2013-07-29T08:09:54Z https://community.cisco.com/t5/network-security/identity-fw-acl-with-ad-group-not-matching/m-p/2303378#M345767 <HTML><HEAD></HEAD><BODY><P>I've made another test. I've changed the group that matches the ACL and it works.</P><P></P><P>The differences between groups are:</P><P></P><P>- They're located in different OUs, but both are accessible.</P><P>- One has 6 users and the other many more.</P><P></P><P>Is there any kind of restriction on how many users a group can contain so that ASA is able to check it?</P><P></P><P>Other group that does not work is a group (Global_FTP) containing 3 different groups, being one of them that other group (FTP_OfficeXX).</P><P></P><P>Any help will be appreciated.</P><P></P><P>Thanks!!!</P></BODY></HTML> Fri, 02 Aug 2013 08:44:31 GMT https://community.cisco.com/t5/network-security/identity-fw-acl-with-ad-group-not-matching/m-p/2303378#M345767 Igor Rodriguez 2013-08-02T08:44:31Z https://community.cisco.com/t5/network-security/identity-fw-acl-with-ad-group-not-matching/m-p/2303379#M345769 <HTML><HEAD></HEAD><BODY><P>Hello again everybody,</P><P></P><P>I was wondering if maybe because of summer vacations this post was missing to some of you.</P><P></P><P>Anyone has any idea of why ACL does not match when using an old and with more members group?</P><P></P><P>Thanks in advance.</P><P></P><P>Best regards,</P><P></P><P>Igor</P></BODY></HTML> Mon, 30 Sep 2013 15:12:03 GMT https://community.cisco.com/t5/network-security/identity-fw-acl-with-ad-group-not-matching/m-p/2303379#M345769 Igor Rodriguez 2013-09-30T15:12:03Z