02-10-2020 07:24 AM - edited 02-21-2020 09:54 AM
We are in a testing phase with FTD. Currently, we use DAPs with ASA to control which users get certain Access lists when connecting with AnyConnect, and works well and is clean. I know that is not a feature in FTD yet (or maybe ever) but I was curious if anyone has found a workaround. We will probably have ISE Pic not full blown ISE if we decide to go with this solution. However, I don't have access to ISE pic yet to test if it can be done using that. I know ISE pic does User Identification so my thought is maybe I can build access policies based on that.
02-10-2020 07:32 PM
03-05-2020 11:35 PM - edited 03-05-2020 11:37 PM
Hi!
There is kind of a workaround.
As far as i know there is no way to build additive authorizeation policies on ISE. So when user is member of group a and group b, ISE will stop Authorization after the first hin (groupa a -> dest a). BUT: You might use ID Policy to enable identity /group based ACLs. i.e. Group a gets an ACP Entry for destination a, group b for dest b. Then its possible to combine the access, if user is member of both groups. FTD uses the user from VPN Authentication. (Analysis -> User Activity (or something like this) -> current sessions. Not that nice like DAP, as you were able to check more then AD groups but it´s something...
03-13-2020 04:09 AM
07-09-2021 12:19 PM
upgrade the FTD to release 7.0. You can configure DAP directly
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide