Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
218
Views
2
Helpful
4
Replies

FTD - AnyConnect Local User migration from ASA.

darrenj
Level 1
Level 1

‎03-24-2025 09:42 PM

Hey all, I'm migrating from an ASA to FTD (managed by FMC). In the current ASA deployment, we have lots of VPN users that connect to a single tunnel-group and authenticate using local user credentials configured on the ASA.

Now for the magic....based on the username that logs in, the ASA will assign a group-policy (contains stuff like IP pool to use, split-tunneling, etc) and a VPN filter (which restricts access to specific resources). This works great and gives me complete flexibility. Example user;

username darrentest password <password> encrypted
username darrentest attributes
vpn-group-policy GP_TEST
vpn-filter value ACL_TEST

Now I try and set up the same thing in v7.4 of FMC and its a big fail. When I create a username/password there is no option to configure attributes like group-policy, VPN filter, etc.

Spoiler Alert! I know this can be achieved with AAA servers (RADIUS attributes) but I don't have this and I simply want to migrate my existing solution.

Has anyone come across this before and is my understanding of this big limitation correct? I can't even see it working with FlexConfigs  

Thanks

Darren

 

 

0 Helpful
4 Replies 4

Marvin Rhoads
Hall of Fame
Hall of Fame

‎03-24-2025 10:23 PM

You can use dynamic access policy with condition being username. It can then assign a VPN filter or static IP (but not a group policy AFAIK).

darrenj
Level 1
Level 1
In response to Marvin Rhoads

‎03-24-2025 10:51 PM

Hey Marvin, thanks for this idea (its been a while since I used DAPs!).

I looked into it, I could set a user message, network ACL and "custom attribute" in a DAP. The network ACL ticks my first requirement, but the custom attribute only appears to support 3 other attributes with no option to set the address pool or group policy on a per user basis  

darrenj_1-1742881659958.png

 

darrenj_0-1742881621861.png

So, I'm back into a position of looking for an option without using a AAA server or some other external server (before someone mentions that as a solution).

Darren

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to darrenj

‎03-25-2025 06:39 AM

You're right. I though I recalled being able to assign a static IP in there but I just checked on my side and it's not an option.

Unfortunately you may have to use the option that you mentioned not wanting. There are some free ones that will serve, but it does require setting up an external server.

darrenj
Level 1
Level 1
In response to Marvin Rhoads

‎03-25-2025 06:22 PM

Thanks for checking my sanity your side too mate. It is quite lame I must say, its been close to 10 years now and still so much functionality has been lost in the move from ASA to FTD/Firepower. I've worked on Cisco firewalls for about 20 years now (back to PIXs!) and its not surprising to see them lose so much ground in the firewall space when you compare them to other vendors. Ah well.....

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card