03-26-2020 04:12 AM
Hi all,
I have a question about a scenario for which I could not find a detailed answer in any Cisco documentation.
- Let's say we have an FTD device managed by FMC.
- We have AnyConnect set up, being authenticated via LDAP (AD) with a set-up Realm.
- Users and groups are being downloaded just fine.
- Identity policy is set to Passive Authentication via the same Realm and attached to the ACP
However, when trying to use User based rules on the ACP, they don't hit.
On User Activity and Active sessions, VPN authenticated users show up, but on Connection Events, the Initiator User is shown as Unknown.
Using user_map_query.pl, we see that the user-to-ip mapping exists on the FMC but not on the FTD.
Is User Agent needed for this scenario? (User based rules ONLY for VPN authenticated users)
Not set at the moment.
Thanks in advance,
P
03-26-2020 04:24 AM - edited 03-26-2020 04:24 AM
The User Agent (which is being deprecated) or ISE/ISE-PIC is required to get the mapping of user to IP address. Realm integration and the LDAP/AD authentication by themselves won't do that for purposes of using identity in your Access Control Policy.
03-26-2020 04:44 AM
Hi Marvin,
Thanks for the quick reply.
Is that the case, even if we are talking about AnyConnect users and not users that log on PCs?
The user to IP mapping should be known by the FMC, as it is the one performing the authentication and assigning the IP address from the VPN pool to the remote user.
I can also see the mapping on FMC, using the user_map_query.pl script.
Also, please check below (How to User VPN Identity for User-id Based Access Control Rules):
Please let me know your thoughts and provide any supporting documentation if you are aware of one.
Thanks in advance,
P
04-29-2020 05:39 PM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: