Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
655
Views
20
Helpful
8
Replies

FMC External Authentication

Go to solution
Irakli Gvishiani
Beginner
Beginner

‎10-11-2022 03:52 AM - edited ‎10-11-2022 04:13 AM

Hello,

We have Cisco FMC, version is 7.0.1

I would like to configure access to the FMC based on AD Groups, integration done thought LDAP. At this moment we have 2 AD groups:

First - Full Access (Grant-FMC-Admin), Second - Read Only Security Analyst (Grant-FMC-ReadOnly) 

You can see configuration on the screenshot.

IrakliGvishiani_1-1665485275475.png

 

IrakliGvishiani_0-1665485172982.png

There is test result:

IrakliGvishiani_0-1665485705711.png

As I have discovered, some users can login, some no. What is the problem? 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Aref Alsouqi
VIP Collaborator VIP Collaborator
VIP Collaborator

‎10-11-2022 06:08 AM

The issue seems to be related to hitting the maximum limit of query size limit as stated on the error. I would try to use a more specific base DN instead of the root one, and also a base filter that would match all the queried users.

View solution in original post

8 Replies 8

Go to solution
balaji.bandi
VIP Community Legend VIP Community Legend
VIP Community Legend

‎10-11-2022 04:47 AM

This looks for me more of AD side users need to verify they are in correct Group

compare working vs not working so you see the different in user profiles in AD ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
Irakli Gvishiani
Beginner
Beginner
In response to balaji.bandi

‎10-11-2022 07:05 AM

For example, User1 can be member of Grant-FMC-Admin\Grant-FMC-ReadOnly and this user will have correct assigned role. But User2 can be member of Grant-FMC-Admin\Grant-FMC-ReadOnly and this user can't login at all. 

0 Helpful

Go to solution
Aref Alsouqi
VIP Collaborator VIP Collaborator
VIP Collaborator

‎10-11-2022 06:08 AM

The issue seems to be related to hitting the maximum limit of query size limit as stated on the error. I would try to use a more specific base DN instead of the root one, and also a base filter that would match all the queried users.

Go to solution
Irakli Gvishiani
Beginner
Beginner
In response to Aref Alsouqi

‎10-11-2022 08:12 AM

I tried to be more specific, but situation is the same.

0 Helpful

Go to solution
Irakli Gvishiani
Beginner
Beginner

‎10-11-2022 08:14 AM

How and what do I need to check regarding these 67 users? These users are created in such way as another 550...

0 Helpful

Go to solution
Aref Alsouqi
VIP Collaborator VIP Collaborator
VIP Collaborator

‎10-11-2022 08:45 AM

I don't personally think the issue is related to the users' attributes, I think it is just the size limit that is getting hits. Did you also try the base filter?

Go to solution
Irakli Gvishiani
Beginner
Beginner
In response to Aref Alsouqi

‎10-12-2022 05:53 AM

You was right, I done more specific Base DN and now works. Thanks. 

0 Helpful

Go to solution
Aref Alsouqi
VIP Collaborator VIP Collaborator
VIP Collaborator

‎10-12-2022 05:57 AM

Glad to hear this has been fixed now and you're welcome.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Spotlight Award Nomination
Customers Also Viewed These Support Documents