10-14-2019 06:24 AM - edited 02-21-2020 09:35 AM
Hi all!
We want to grant Anyconnect Remote access VPN for our users divided into different AD groups.
We want to create two connection profiles that should use two different realms for the same domain, but for different AD groups. For example:
Users from AD Group1 can access through Anyconnect VPN to hosts from their subnet, and on other hand users from AD Group2 can access through Anyconnect VPN to hosts from their subnets only.
We already created two profiles, with different address pools, and according to it ACL which filter traffic. But, we can't divide users from the same AD realm but different groups.
I tried to create a new AD realm, but it obviously failed, because realm is the same as the previous one. How can I divide it by AD groups, is it possible on FMC?
Solved! Go to Solution.
10-15-2019 06:39 AM
As per my understanding by configuring LDAP MAP your requirement will be fulfilled .
as of now we can not configure LDAP MAP through FMC GUI like native feature
there is a open feature request for ldap map in FMC
FMC should support LDAP authorization for Remote Access VPN
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvd64585/?rfs=iqvred
still if you want to configure LDAP MAP you will get workaround from this URL
and you should configure LDAP map by doing Flex Configuration .
Note:- Flex Configuration is very critical and when you are doing this please check all information twise before deploying configuration because if deployment will fail due to flex configuration it will disconnect whole network around 5 to 10 Second .
So , Please understand all configuration and then deploy it
10-14-2019 07:27 AM
If you use a RADIUS AAA server (like Microsoft NPS or Cisco ISE), you can assign users to remote access VPN connection profiles based on AD Group membership.
Firepower does not currently support LDAP attribute maps directly as we have with ASA.
10-15-2019 06:35 AM - edited 10-15-2019 06:35 AM
.
10-15-2019 06:39 AM
As per my understanding by configuring LDAP MAP your requirement will be fulfilled .
as of now we can not configure LDAP MAP through FMC GUI like native feature
there is a open feature request for ldap map in FMC
FMC should support LDAP authorization for Remote Access VPN
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvd64585/?rfs=iqvred
still if you want to configure LDAP MAP you will get workaround from this URL
and you should configure LDAP map by doing Flex Configuration .
Note:- Flex Configuration is very critical and when you are doing this please check all information twise before deploying configuration because if deployment will fail due to flex configuration it will disconnect whole network around 5 to 10 Second .
So , Please understand all configuration and then deploy it
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide