Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1740
Views
0
Helpful
3
Replies

Alternative to DAP in FTD

nibor64
Level 1
Level 1

‎03-19-2018 05:10 AM - edited ‎02-21-2020 07:31 AM

Hi

 

I'm currently migrating a customer from ASA to a FP2110 using Firepower Threat Defence. As we're probably all aware DAP (Dynamic Access Policies) are not yet supported on FTD, but i was wondering if anyone else has any idea or workaround to implement the same functionality.

The customer uses DAP on the Anyconnect setup and if the Anyconnect Client belongs to specific AD Groups he grants them special permissions to the network based on Access Lists.

 

The way i see it we could just implement Access Rules in the Access Control Policy to grant specific permissions based on the AD Group but this does not work from a VPN Point of view. Even when you log on to Anyconnect using your AD Credentials, FTD does not map your username to your IP-Address so we can not perform this kind of enforcement unless the client is connecting from a domain laptop.

 

Has anyone stumpled upon this and figured out other ways to implement it?

Labels:
0 Helpful
3 Replies 3

nibor64
Level 1
Level 1

‎03-19-2018 05:13 AM

So far what i have done is to implement multiple tunnel-groups using different IP Pools and made access rules in the Access Control Policy based on the IP Pool. This works, IF the user actually uses the URL we have created and given them, we cannot prevent them from just logging in to the customer.com tunnel-group and receive full access to the network.

0 Helpful

nupur jain
Cisco Employee
Cisco Employee
In response to nibor64

‎11-09-2018 01:01 AM

Hey nibor64,

 

Can you throw some light on what are customer URL and default tunnels groups! 

How does that change anything for us?

 

@nibor64 wrote:

So far what i have done is to implement multiple tunnel-groups using different IP Pools and made access rules in the Access Control Policy based on the IP Pool. This works, IF the user actually uses the URL we have created and given them, we cannot prevent them from just logging in to the customer.com tunnel-group and receive full access to the network.

 

0 Helpful

k.nandakumar
Level 1
Level 1

‎11-11-2018 08:19 PM

You can achieve this by integrating ISE with FMC and, configure DAP on ISE, based on user/group ISE will assign group-policy. 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card