- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-14-2019 06:24 AM - edited 02-21-2020 09:35 AM
Hi all!
We want to grant Anyconnect Remote access VPN for our users divided into different AD groups.
We want to create two connection profiles that should use two different realms for the same domain, but for different AD groups. For example:
Users from AD Group1 can access through Anyconnect VPN to hosts from their subnet, and on other hand users from AD Group2 can access through Anyconnect VPN to hosts from their subnets only.
We already created two profiles, with different address pools, and according to it ACL which filter traffic. But, we can't divide users from the same AD realm but different groups.
I tried to create a new AD realm, but it obviously failed, because realm is the same as the previous one. How can I divide it by AD groups, is it possible on FMC?
Solved! Go to Solution.
- Labels:
-
NGFW Firewalls
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-15-2019 06:39 AM
As per my understanding by configuring LDAP MAP your requirement will be fulfilled .
as of now we can not configure LDAP MAP through FMC GUI like native feature
there is a open feature request for ldap map in FMC
FMC should support LDAP authorization for Remote Access VPN
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvd64585/?rfs=iqvred
still if you want to configure LDAP MAP you will get workaround from this URL
and you should configure LDAP map by doing Flex Configuration .
Note:- Flex Configuration is very critical and when you are doing this please check all information twise before deploying configuration because if deployment will fail due to flex configuration it will disconnect whole network around 5 to 10 Second .
So , Please understand all configuration and then deploy it
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-14-2019 07:27 AM
If you use a RADIUS AAA server (like Microsoft NPS or Cisco ISE), you can assign users to remote access VPN connection profiles based on AD Group membership.
Firepower does not currently support LDAP attribute maps directly as we have with ASA.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-15-2019 06:35 AM - edited 10-15-2019 06:35 AM
.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-15-2019 06:39 AM
As per my understanding by configuring LDAP MAP your requirement will be fulfilled .
as of now we can not configure LDAP MAP through FMC GUI like native feature
there is a open feature request for ldap map in FMC
FMC should support LDAP authorization for Remote Access VPN
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvd64585/?rfs=iqvred
still if you want to configure LDAP MAP you will get workaround from this URL
and you should configure LDAP map by doing Flex Configuration .
Note:- Flex Configuration is very critical and when you are doing this please check all information twise before deploying configuration because if deployment will fail due to flex configuration it will disconnect whole network around 5 to 10 Second .
So , Please understand all configuration and then deploy it
