cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

460
Views
0
Helpful
3
Replies
Highlighted
Beginner

Dynamic Access Policy (DAP) for AnyConnect work around on FTD

We are in a testing phase with FTD.  Currently, we use DAPs with ASA to control which users get certain Access lists when connecting with AnyConnect, and works well and is clean.  I know that is not a feature in FTD yet (or maybe ever) but I was curious if anyone has found a workaround.  We will probably have ISE Pic not full blown ISE if we decide to go with this solution.  However, I don't have access to ISE pic yet to test if it can be done using that.  I know ISE pic does User Identification so my thought is maybe I can build access policies based on that.

3 REPLIES 3
Highlighted
VIP Advisor

Re: Dynamic Access Policy (DAP) for AnyConnect work around on FTD

Hi

You can push group policy, pool ip, acl.

Here a doc explaining it:
https://www.cisco.com/c/en/us/td/docs/security/firepower/650/fdm/fptd-fdm-config-guide-650/fptd-fdm-ravpn.html

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Highlighted
Beginner

Re: Dynamic Access Policy (DAP) for AnyConnect work around on FTD

Hi!

There is kind of a workaround.

As far as i know there is no way to build additive authorizeation policies on ISE. So when user is member of group a and group b, ISE will stop Authorization after the first hin (groupa a -> dest a). BUT: You might use ID Policy to enable identity /group based ACLs. i.e. Group a gets an ACP Entry for destination a, group b for dest b. Then its possible to combine the access, if user is member of both groups. FTD uses the user from VPN Authentication. (Analysis -> User Activity (or something like this) -> current sessions. Not that nice like DAP, as you were able to check more then AD groups but it´s something...

Highlighted
Frequent Contributor

Re: Dynamic Access Policy (DAP) for AnyConnect work around on FTD

But do they merge, Nüüül?