Re: FMC RA VPN policies integration with Azure AD

FilipX · ‎05-16-2025

Hi all,

I have an issue on FMC caused by migration from on-prem MS AD to Azure AD. The problem is with RA VPN access policies using user-based restrictions.

Previously, users authenticated with their on-prem MS AD credentials and gained access to allowed resources based on their identity from the legacy AD Realm configured in the access policies.

The situation after the AD migration is as follows:

I have configured SAML authentication for RA VPN to authenticate users from the MS Azure domain. It works as expected, and users can connect using AnyConnect and providing their credentials via Microsoft.

I have also successfully created an MS Azure Realm in FMC.

I can list the users from Azure Realm and use them in RA VPN access policies, but it does not affect accessing/blocking the resources. It seems that FMC can't connect the user authenticated through SAML while establishing the VPN connection and the user from Azure Realm specified in the access policy, although it is the same user.

Just to mention that implementing Cisco ISE is not an option.

Any ideas are appreciated.

Thanks,
Filip

ahollifield · ‎05-19-2025

MS AD != Azure AD. Also Azure AD is called Entra ID now.

So what is the user's UPN? Does that match? What is being returned to the firewall from the SAML flow.

ISE is not required here.

FilipX · ‎05-20-2025

Hi ahollifield,

Thank you for your answer.
In the Remote Access VPN Overview Dashboard in FMC, under active sessions, users are listed with their username, not with the UPN.
Can you please clarify which user's UPN should match—that from SAML with the one from Azure (Entra) Realm?

Thanks,
Filip

ahollifield · ‎05-20-2025

needs to match whatever is being looked up inside of Entra