cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
356
Views
1
Helpful
4
Replies

FMC FTD - Different Active Directory server per FTD for same domain

Tibor M
Level 1
Level 1

Hi,

I have following situation:

  • 1 x FMC 7.4
  • 3 x FTD 7.4 (each FTD on different remote location)

I need Secure Client VPN on each FTD, which is not a problem. VPN should authenticate against FTD's local Active Directory server and with backup to central site.

We are not able to figure out how to configure AD AAA integration for VPN on FMC while "AD Primary Domain" must be unique, but we need it 3 times as each realm will have different servers inside this configuration with different interface groups selected as source for that server. Or we need have the way somehow, to say - "on this FTD use this AD server as primary and this AD server as backup" (not all IP addresses are accessible from each site to other sites).

As we had ASA before we have configured AAA servers per ASA, now it looks that 1 AD domain can be there only once, but we do not know how it's prioritizing AD servers from that configuration.

fmc_realms.png

fmc_directory.png

 

4 Replies 4

sorry can you more elaborate

you have three Anyconnect group each one use different domain ?

you want to use on AD integration for three domain ?

MHM 

HI,

no exactly.

We have 3 sites - HQ, Branch 1, Branch 2. Each has FTD there. FMC is located in HQ, so HQ FTD is managed through management port, branches through data port.

We have 1 AD domain let's say "domain.com". We have 2 Domain Controllers in HQ and 1 DC on Branch 1, 1 DC on Branch 2. Branch offices DCs communicate over site-to-site VPN only with HQ, branches cannot communicate together. so site-to-site is configured as "Branch 1 - HQ" and "Branch 2 - HQ".

I need to ensure that FTD in Branch 1 connect to local DC for VPN authentication over it's interface called Vlan100 and as a backup through site-to-site VPN to DC in HQ (public IP will be included in cryptomap so it's able to communicate with DC private IP).

The same applies for FTD in Branch 2, connect to local DC for VPN authentication over it's interface called Vlan200.

The thing is that Vlans are different on each location, and it's not possible to make them same. When I try to configure AAA Integration in FMC it's not allowing me to configure same unique domain "domain.com" for more than 1 AAA configuration. But in case I put there more servers for AD, only first is used till is unreachable, then second, but if first is HQ DC, then remote branch FTD will need to connect remotely for VPN AD authentication which will be long and slow down connections of users.

FTDFMC.png

1.1.-Cisco-FMC-Realm-Types-.png

there is option add another directory can you check it 
thanks 
MHM

of course there it is, that's I know. but on FMC/FTD 7.4 field "AD Primary Domain" is mandatory and UNIQUE, that's my problem. I cannot add multiple connection to same AD domain due mandatory of that field.

fmc_error.png

Review Cisco Networking for a $25 gift card