Solved: Restrict some VPN users FMC / Active DIrectory

pannkakan_1 · ‎07-03-2018

Hi

I have two groups in my AD, one for our Administrators and one for our Users. I want to configure so that everyone can use our VPN connection but I want to restrict so normal users in the Users group can only access one IP-address and our Administrators can access everything. We're using LDAP in our AD and no NPS is installed.

I'm using FMC to configure this but I really dont know how I should progress.

Dennis Mink · ‎07-03-2018

potentially possible if you use ISE or ACS in conjunction with RADIUS auth and stick the FMC in a device group in ISE/ACS and enforcing certain AD attributes

Please remember to rate useful posts, by clicking on the stars below.

View solution in original post

Rahul Govindan · ‎07-03-2018

I believe this is not possible with Firepower Threat Defense (FTD) as of today if you use LDAP/AD as back-end AAA source. Traditionally with ASA, we would use LDAP attribute maps to map AD membership to group-policies and corresponding permissions. Since FTD does not support LDAP attribute map's yet, you would have to use a back-end Radius server like NPS to achieve this functionality.

Dennis Mink · ‎07-03-2018

potentially possible if you use ISE or ACS in conjunction with RADIUS auth and stick the FMC in a device group in ISE/ACS and enforcing certain AD attributes

Please remember to rate useful posts, by clicking on the stars below.