Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1002
Views
5
Helpful
2
Replies

Firepower RAvpn and SGT group

Go to solution
dkornel01
Level 1
Level 1

‎10-24-2022 08:41 AM

Hy!

I would like to use a third-party radius server for RAvpn authentication, i can authenticate the anyconnect clients without any problem.

I also would like to authorize them to be member of a particular sgt group so i send the Cisco-AVPair = "cts:security-group-tag= xyz" attribute back to firepower.

SGT pushing seems to work:

ftdv2# sh vpn-sessiondb anyconnect filter name kornel

Session Type: AnyConnect

Username : kornel Index : 1835
Assigned IP : 192.168.66.207 Public IP : blabla
Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License : AnyConnect Premium, AnyConnect for Mobile
Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)AES-GCM-256 DTLS-Tunnel: (1)AES-GCM-256
Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA384 DTLS-Tunnel: (1)SHA384
Bytes Tx : 14979 Bytes Rx : 4000
Group Policy : teszt Tunnel Group : tesztes
Login Time : 14:26:57 UTC Mon Oct 24 2022
Duration : 0h:37m:01s
Inactivity : 0h:00m:00s
VLAN Mapping : N/A VLAN : none
Audt Sess ID : 000000000072b0006356a0b1
Security Grp : 5 Tunnel Zone : 0

When i set up a logging rule matching the vpn traffic the sgt source and destination group is empty.

so what else should i do to tag the traffic? or can't FTD tag and classify the ravpn packets?

i also tried to trace a security group tagged packet, and i got the following result:

ftdv2# packet-tracer input public tcp inline-tag 5 192.168.66.207 12222 192.101.91 445

.

.

Action: drop
Drop-reason: (ifc-not-cmd-enabled) Interface not configured for CMD packets, Drop-location: frame 0x000055d2bb7c6cdf flow (NA)/NA

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jeaves@cisco.com
Cisco Employee
Cisco Employee
In response to dkornel01

‎10-31-2022 08:49 AM

Yes, FMC/FTD does not support SGT assignment/classification from RADIUS authz. You need to send the SGT assignment via ISE pxGrid to FMC.

View solution in original post

2 Replies 2

Go to solution
dkornel01
Level 1
Level 1

‎10-25-2022 07:10 AM

based on the document below virtual ftd doesn't support sgt cllassification on ravpn. This might be the reason.

https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/trustsec/software-platform-capability-matrix.pdf

0 Helpful

Go to solution
jeaves@cisco.com
Cisco Employee
Cisco Employee
In response to dkornel01

‎10-31-2022 08:49 AM

Yes, FMC/FTD does not support SGT assignment/classification from RADIUS authz. You need to send the SGT assignment via ISE pxGrid to FMC.

Customers Also Viewed These Support Documents