Cisco Community
English
Register
We're here for you! LEARN about free offerings and business continuity best practices during the COVID-19 pandemic
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

460
Views
0
Helpful
3
Replies
Highlighted
dv2323
Beginner
Beginner
‎02-10-2020 07:24 AM
‎02-10-2020 07:24 AM

Dynamic Access Policy (DAP) for AnyConnect work around on FTD

We are in a testing phase with FTD.  Currently, we use DAPs with ASA to control which users get certain Access lists when connecting with AnyConnect, and works well and is clean.  I know that is not a feature in FTD yet (or maybe ever) but I was curious if anyone has found a workaround.  We will probably have ISE Pic not full blown ISE if we decide to go with this solution.  However, I don't have access to ISE pic yet to test if it can be done using that.  I know ISE pic does User Identification so my thought is maybe I can build access policies based on that.

Labels:
0 Helpful
Reply
3 REPLIES 3
Highlighted
Francesco Molino
VIP Advisor VIP Advisor
VIP Advisor
‎02-10-2020 07:32 PM
‎02-10-2020 07:32 PM

Re: Dynamic Access Policy (DAP) for AnyConnect work around on FTD

Hi

You can push group policy, pool ip, acl.

Here a doc explaining it:
https://www.cisco.com/c/en/us/td/docs/security/firepower/650/fdm/fptd-fdm-config-guide-650/fptd-fdm-ravpn.html

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Reply
Highlighted
Nüüül
Beginner
Beginner
‎03-05-2020 11:35 PM
‎03-05-2020 11:35 PM

Re: Dynamic Access Policy (DAP) for AnyConnect work around on FTD

Hi!

There is kind of a workaround.

As far as i know there is no way to build additive authorizeation policies on ISE. So when user is member of group a and group b, ISE will stop Authorization after the first hin (groupa a -> dest a). BUT: You might use ID Policy to enable identity /group based ACLs. i.e. Group a gets an ACP Entry for destination a, group b for dest b. Then its possible to combine the access, if user is member of both groups. FTD uses the user from VPN Authentication. (Analysis -> User Activity (or something like this) -> current sessions. Not that nice like DAP, as you were able to check more then AD groups but it´s something...

0 Helpful
Reply
Highlighted
Peter Koltl
Frequent Contributor
Frequent Contributor
‎03-13-2020 04:09 AM
‎03-13-2020 04:09 AM

Re: Dynamic Access Policy (DAP) for AnyConnect work around on FTD

But do they merge, Nüüül?
0 Helpful
Reply
Latest Contents
How to Integrate Cisco Identity Services Engine with IBM Maa...
Created by pavagupt on 05-29-2020 12:45 AM
0
10
0
10
IntroductionComponentsIBM MaaS360 ConfigurationISE ConfigurationOnboard and validating access from Windows ClientEnrolling Windows 10 against IBM MaaS 360   Introduction Cisco Identity Services Engine (ISE) gives you intelligent Integrated protectio... view more
AMP4E - Cisco Threat Response and ESA Integration
Created by bremarqu on 05-27-2020 09:16 AM
0
0
0
0
Hello, This video provides the steps to configure the Cisco Threat Response (CTR) and ESA Integration.   This is live on the portal:https://video.cisco.com/video/6159336218001   And on YouTube:https://www.youtube.com/watch?v=UCKIdx5rdFg   ... view more
Migrate from C170 to C190
Created by fhk_license on 05-26-2020 02:24 AM
3
0
3
0
I need to migrate from C170 to C190 and have already match to the same Firmware Version. I have a question. Is there any method that can export and import the configuration file instead of form cluster ?
DGTL-BRKSEC-1011 - A Challenger Appears: Defending Mailboxes...
Created by chclasen on 05-20-2020 09:43 AM
0
0
0
0
This AMA will serve as the Q&A for the Cisco Live Digital breakout DGTL-BRKSEC-1011 - "A Challenger Appears: Defending Mailboxes in the Cloud" which covers a brand new product which will be announced during the event: Cloud Mailbox Defense. Join Techn... view more
ASA Image won't stay
Created by Senbonzakura on 05-19-2020 12:19 PM
3
0
3
0
I've fixed this before but now I'm running into a different type of an issue. My firewall isn't booting to the image so I have to keep reloading the image onto the ASA. Any help would be appreciated. Also my Config-Register is set to 0x1. As of right now,... view more
CreatePlease to create content
Discussion
Blog
Document
Video
Content for Community-Ad