Solved: Re: FTD Remote Access VPN allow only AD group?

Jack G · ‎12-21-2017

Is it possible to just allow specific users or group to connect via remote access VPN? After configuring the identity realm and testing any AD user can connect. Do I need to scope the Base DN to a specific group or OU or is there something else I'm missing here?

skra · ‎01-23-2018

Dear Jack,

the solution is on the urls below:

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/117641-config-asa-00.html

https://supportforums.cisco.com/t5/tkb/articleprintpage/tkb-id/4561-docs-security/article-id/4171

The first url, shows how to enable NPS on DC.

The second url is how you lock AD groups, with specific group-policy.

On FMC, you should add as radius server (object/object management) the DC (NPS enabled).

Add the authentication of vpn the radius and everything is ok.

If you need any more info, do not hesitate to ask!

skra

View solution in original post

skra · ‎01-23-2018

Dear Jack,

the solution is on the urls below:

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/117641-config-asa-00.html

https://supportforums.cisco.com/t5/tkb/articleprintpage/tkb-id/4561-docs-security/article-id/4171

The first url, shows how to enable NPS on DC.

The second url is how you lock AD groups, with specific group-policy.

On FMC, you should add as radius server (object/object management) the DC (NPS enabled).

Add the authentication of vpn the radius and everything is ok.

If you need any more info, do not hesitate to ask!

skra

Jack G · ‎01-30-2018

This works if you have FMC, but by understanding is that RADIUS is still in the works for FDM

skra · ‎01-30-2018

I think that it would work also on FDM.

My configuration works on FMC.

By enabling the passwork management, the user can also change the password.

The only thing it does not work , is password expiration notification.

Regards,

Spyros

Jack G · ‎01-30-2018

I'll have to review and see if there's any additional updates. Working with TAC last month, RADIUS wasn't even an option for the FDM software, just AD.

Maxim Kraev · ‎04-18-2018

Hello everyone! I have FMC and FTDv. I'm also need RA VPN for users who belong to one of AD Group. I found this topic and try to configure auth via NPS. But i didn't understand second URL. May be because of this i recieve from NPS Auth-reject. Also i can't find reason of reject in event viewer at AD server where NPS is configured. I view log of NPS via log interpreter at C:\Windows\system32\LogFiles. Can anybody help me?

Jack G · ‎04-19-2018

Not sure if it help, but one issue we had working with Cisco support, is that we had to check both "encrypted authentication (CHAP) and "Unencrypted authentication (PAP, SPAP)" under Authentication Methods.

A FMC command you can use for testing is firepower# test aaa authentication "enter name of RADIUS Server Group". Should ask for RADIUS server IP, username, and password. I didn't have to use the domain in the user name.