cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2205
Views
5
Helpful
3
Replies

Different Remote access VPN profiles with single AD domain but different AD groups

IlyaTaskaev
Level 1
Level 1

Hi all!


We want to grant Anyconnect Remote access VPN for our users divided into different AD groups.
We want to create two connection profiles that should use two different realms for the same domain, but for different AD groups. For example:

Users from AD Group1 can access through Anyconnect VPN to hosts from their subnet, and on other hand users from AD Group2 can access through Anyconnect VPN to hosts from their subnets only. 

We already created two profiles, with different address pools, and according to it ACL which filter traffic. But, we can't divide users from the same AD realm but different groups.

I tried to create a new AD realm, but it obviously failed, because realm is the same as the previous one. How can I divide it by AD groups, is it possible on FMC?

 

 

1 Accepted Solution

Accepted Solutions

harmesh88
Level 1
Level 1

As per my understanding by configuring LDAP MAP your requirement will be fulfilled .

 

as of now we can not configure LDAP MAP through FMC GUI like native feature 

there is a open feature request  for ldap map in FMC 

 

FMC should support LDAP authorization for Remote Access VPN

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvd64585/?rfs=iqvred

 

still if you want to configure LDAP MAP you will get workaround from this URL

and you should configure LDAP map by doing Flex Configuration .

 

Note:- Flex Configuration is very critical and when you are doing this please check all information twise before deploying configuration because if deployment will fail due to flex configuration it will disconnect whole network around 5 to 10 Second . 

 

So , Please understand all configuration and then deploy it 

View solution in original post

3 Replies 3

Marvin Rhoads
Hall of Fame
Hall of Fame

If you use a RADIUS AAA server (like Microsoft NPS or Cisco ISE), you can assign users to remote access VPN connection profiles based on AD Group membership.

https://community.cisco.com/t5/vpn-and-anyconnect/fmc-anyconnect-and-radius-assign-conection-profile/m-p/3698085#M146307

Firepower does not currently support LDAP attribute maps directly as we have with ASA.

mumbai.support
Level 1
Level 1

.

harmesh88
Level 1
Level 1

As per my understanding by configuring LDAP MAP your requirement will be fulfilled .

 

as of now we can not configure LDAP MAP through FMC GUI like native feature 

there is a open feature request  for ldap map in FMC 

 

FMC should support LDAP authorization for Remote Access VPN

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvd64585/?rfs=iqvred

 

still if you want to configure LDAP MAP you will get workaround from this URL

and you should configure LDAP map by doing Flex Configuration .

 

Note:- Flex Configuration is very critical and when you are doing this please check all information twise before deploying configuration because if deployment will fail due to flex configuration it will disconnect whole network around 5 to 10 Second . 

 

So , Please understand all configuration and then deploy it 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: