Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2754
Views
5
Helpful
3
Replies

Different Remote access VPN profiles with single AD domain but different AD groups

Go to solution
IlyaTaskaev
Level 1
Level 1

‎10-14-2019 06:24 AM - edited ‎02-21-2020 09:35 AM

Hi all!


We want to grant Anyconnect Remote access VPN for our users divided into different AD groups.
We want to create two connection profiles that should use two different realms for the same domain, but for different AD groups. For example:

Users from AD Group1 can access through Anyconnect VPN to hosts from their subnet, and on other hand users from AD Group2 can access through Anyconnect VPN to hosts from their subnets only. 

We already created two profiles, with different address pools, and according to it ACL which filter traffic. But, we can't divide users from the same AD realm but different groups.

I tried to create a new AD realm, but it obviously failed, because realm is the same as the previous one. How can I divide it by AD groups, is it possible on FMC?

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
harmesh88
Level 1
Level 1

‎10-15-2019 06:39 AM

As per my understanding by configuring LDAP MAP your requirement will be fulfilled .

 

as of now we can not configure LDAP MAP through FMC GUI like native feature 

there is a open feature request  for ldap map in FMC 

 

FMC should support LDAP authorization for Remote Access VPN

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvd64585/?rfs=iqvred

 

still if you want to configure LDAP MAP you will get workaround from this URL

and you should configure LDAP map by doing Flex Configuration .

 

Note:- Flex Configuration is very critical and when you are doing this please check all information twise before deploying configuration because if deployment will fail due to flex configuration it will disconnect whole network around 5 to 10 Second . 

 

So , Please understand all configuration and then deploy it 

View solution in original post

3 Replies 3

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎10-14-2019 07:27 AM

If you use a RADIUS AAA server (like Microsoft NPS or Cisco ISE), you can assign users to remote access VPN connection profiles based on AD Group membership.

https://community.cisco.com/t5/vpn-and-anyconnect/fmc-anyconnect-and-radius-assign-conection-profile/m-p/3698085#M146307

Firepower does not currently support LDAP attribute maps directly as we have with ASA.

0 Helpful

Go to solution
mumbai.support
Level 1
Level 1

‎10-15-2019 06:35 AM - edited ‎10-15-2019 06:35 AM

.

0 Helpful

Go to solution
harmesh88
Level 1
Level 1

‎10-15-2019 06:39 AM

As per my understanding by configuring LDAP MAP your requirement will be fulfilled .

 

as of now we can not configure LDAP MAP through FMC GUI like native feature 

there is a open feature request  for ldap map in FMC 

 

FMC should support LDAP authorization for Remote Access VPN

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvd64585/?rfs=iqvred

 

still if you want to configure LDAP MAP you will get workaround from this URL

and you should configure LDAP map by doing Flex Configuration .

 

Note:- Flex Configuration is very critical and when you are doing this please check all information twise before deploying configuration because if deployment will fail due to flex configuration it will disconnect whole network around 5 to 10 Second . 

 

So , Please understand all configuration and then deploy it 

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card