Re: FTD 1010 / 6.7: Connection to AD realm and ACL/identity policy doesn't seem to work - Page 2

mcgiga · ‎11-12-2020

Hi all,

we have setup up a AD realm and a identity police. We want to apply ACLs to allow RA VPN connections for some users to some destinations.

The AD realm connection is working according to the test function. When we create an ACL, switch to user tab, the AD realm connection doesn't show the user and groups of the AD.

The AnyConnect is working, logon with AD credentials of a user is working fine.

Is there something special to do to get the users and groups from AD realm?

mcgiga · ‎12-09-2020

I had another WebEx call with the engineer in this support case some minutes ago. He had a look at the realm configuration, everything was fine expet the username of AD he said.

We changed it from samAccountName (i.e. cisco.user) to userPrincipalName (i.e. cisco.user@domain.tld). After deploying it, what should I say, it's working and pulling groups and user accounts.

It's very strange because in the last two weeks I have changed so many things in realm configuration (FQDN instead of IP address, different useraccounts etc.) and of course the samAccountName to UserPrincipalName and it didn't worked!

Maybe it has something to do with your workaround (pmtool disablebyid adi, pmtool enablebyid adi) which I tried today.

Leon1 · ‎12-09-2020

ouh... I am running the realm Config since two years now and I have just updated. Maybe the function has been changed in 6.7.0. I will try it out this evening and let you know.

Crazy...

Leon1 · ‎12-09-2020

Okay I can confirm this is working now!

It seems there is a change in the way the username is used for authentication. I have added the the domain suffix "@bla.bla" and executed the commands I sent to you and now it is working. I can see the groups I have created for testing now in the ACL settings.

Thank you! The Cisco community is awesome!

You can give me a "helpful" rating for the issued commands if you like

Have a nice day