cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
122
Views
0
Helpful
2
Replies
Highlighted
Beginner

FTD - User based rules for AnyConnect users

Hi all,

 

I have a question about a scenario for which I could not find a detailed answer in any Cisco documentation.

- Let's say we have an FTD device managed by FMC.

- We have AnyConnect set up, being authenticated via LDAP (AD) with a set-up Realm.

- Users and groups are being downloaded just fine.

- Identity policy is set to Passive Authentication via the same Realm and attached to the ACP

 

However, when trying to use User based rules on the ACP, they don't hit.

On User Activity and Active sessions, VPN authenticated users show up, but on Connection Events, the Initiator User is shown as Unknown.

 

Using user_map_query.pl, we see that the user-to-ip mapping exists on the FMC but not on the FTD.

 

Is User Agent needed for this scenario? (User based rules ONLY for VPN authenticated users)

Not set at the moment.

 

Thanks in advance,

P

2 REPLIES 2
Hall of Fame Guru

Re: FTD - User based rules for AnyConnect users

The User Agent (which is being deprecated) or ISE/ISE-PIC is required to get the mapping of user to IP address. Realm integration and the LDAP/AD authentication by themselves won't do that for purposes of using identity in your Access Control Policy.

Highlighted
Beginner

Re: FTD - User based rules for AnyConnect users

Hi Marvin,

 

Thanks for the quick reply.

Is that the case, even if we are talking about AnyConnect users and not users that log on PCs?

 

The user to IP mapping should be known by the FMC, as it is the one performing the authentication and assigning the IP address from the VPN pool to the remote user.

I can also see the mapping on FMC, using the user_map_query.pl script.

 

Also, please check below (How to User VPN Identity for User-id Based Access Control Rules):

https://www.cisco.com/c/en/us/td/docs/security/firepower/630/configuration/guide/fpmc-config-guide-v63/firepower_threat_defense_remote_access_vpns.html#concept_hm3_yy2_2hb

 

Please let me know your thoughts and provide any supporting documentation if you are aware of one.

 

Thanks in advance,

P