Cisco FPR 7.2.5 ACP filter user per AD/LDAP users

faruk.zaimovic · ‎04-19-2024

Hello ,

I have cisco FPR 7.2.5 managed by FMC.

i want to make ACP rule and filter group user from AD/LDAP. For example one group from AD have FULL internet access other is Limited Internet access.

Can i make it without ISE, ISE-PIC. It is enough only have make integration with AD/LDAP and create Identity policy or i have to go with ISE-PIC.

Does anybody have same experience, please share with us?

Thank you very much.

Aref Alsouqi · ‎04-19-2024

Yes you can do that with ISE-PIC, please check this video of how to integrate ISE with the FMC, and also this post of mine that might be helpful:

Firepower Management Center (FMC) - User Agent transition to ISE-PIC (youtube.com)

Integrate FMC with ISE using pxGrid | Blue Network Security (bluenetsec.com)

faruk.zaimovic · ‎04-19-2024

thank you vey much.

It is possible make without ISE-PIC.

Aref Alsouqi · ‎04-19-2024

I don't believe so as @Ken Stieers also mentioned. Back in the day we used to have another option which was a little software we used to install on Windows to share the user-IP mapping, but that was deprecated and replaced with ISE.

Ken Stieers · ‎04-19-2024

That was the Firepower User Agent.

When they deprecated it they gave away IasEPiC licenses for a while. I'm not sure if that's still the case.

WSA/ASA used to have the CDA, which did the same thing... Umbrella VAs do it too.

Aref Alsouqi · ‎04-19-2024

Yeah that's right, I'd created a post about it while ago, I didn't know about the free licenses though.

Cisco Firepower User Agent | Blue Network Security (bluenetsec.com)

Ken Stieers · ‎04-19-2024

You need some way to tell the firewall what user is on what IP...

That is ISE-PIC or ISE.

MHM Cisco World · ‎04-19-2024

https://rayka-co.com/lesson/cisco-ftd-network-discovery-policy/

This can be done by active nmap'

The active nmap can use in ACP to make user access network resource according to reuslt of scan

MHM