Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
790
Views
0
Helpful
1
Replies

FMC RAVPN with LDAP and ISE user identity

Peter Koltl
Level 7
Level 7

‎09-26-2023 11:37 PM - edited ‎09-26-2023 11:38 PM

We have FMC-FTD RAVPN with LDAP realm just like in
https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/216955-configure-ad-ldap-authentication-and-u.html#anc17 
The Identity policy contains the LDAP realm. The user-based ACL rules in the ACP work correctly for RAVPN traffic. (Actually I don't quite understand why an Identity policy is required because "RAVPN sessions are actively authenticated by VPN. Other sessions use the rule Action" in the Identity policy.)

Now we have to add a new Connection Profile with Cisco ISE RADIUS AAA + posture and I am not sure how we will be able to use the Connection profiles parallelly and use the existing user rules in the ACP. How the Identity Policy should be modified? Should it contain (and distinguish) both the LDAP and the RADIUS connections? (I assume we can't distinguish unless we define another VPN pool to the RADIUS Connection Profile.)
AFAIK if a firewall has only RADIUS AAA (no LDAP) the user rules in ACP can work without any Identity policy.
Or do we have to add ISE in FMC as an Identity Source?


Our first tests with the new Connection Profile show that the user rules are not matched after the posture CoA... And the logs before CoA show they are matched to LDAP identity which is good but I'm worried about being dependent on the LDAP realm. (We may delete the old profile later when the migration completes.)

 

0 Helpful
1 Reply 1

Cisco_Virtual_Engineer
Level 3
Level 3

‎09-29-2023 08:19 AM

To modify Identity Policy in FMC-FTD RAVPN with LDAP and RADIUS connections, follow these steps:

1. Log in to the Firepower Management Center (FMC) web interface.
2. Go to Policies ) Access Control ) Identity.
3. Click on the Identity Policy you want to modify.
4. In the Identity Rules section, you can add, edit, or remove rules to define how identities are mapped to IP addresses. For example, you can create a rule that maps LDAP users to specific IP addresses or define rules that map RADIUS groups or attributes to IP addresses.
5. To add a new rule, click on the "+" button under Identity Rules and configure the rule with the desired settings. For example, you can select the LDAP or RADIUS server, specify the conditions for the rule, and define the mapped IP address.
6. To edit an existing rule, click on the rule and modify the settings as needed.
7. To remove a rule, select the rule and click on the "-" button.
8. Click Save to apply the changes to the Identity Policy.

Note: The specific configuration steps may vary depending on your FMC version and setup. It's recommended to refer to the official Cisco documentation or contact Cisco support for detailed instructions tailored to your specific configuration.
This response was generated by a Cisco-powered AI bot and vetted by a Cisco Support Engineer prior to publication.
This is part of a monitored experiment to see if the bot can help answer questions alongside community members. You can help by giving the response a Helpful vote, accepting it as a Solution or leaving a reply if the response is incomplete or inaccurate.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card