Showing results for 
Search instead for 
Did you mean: 

FTD - User based rules for AnyConnect users


Hi all,


I have a question about a scenario for which I could not find a detailed answer in any Cisco documentation.

- Let's say we have an FTD device managed by FMC.

- We have AnyConnect set up, being authenticated via LDAP (AD) with a set-up Realm.

- Users and groups are being downloaded just fine.

- Identity policy is set to Passive Authentication via the same Realm and attached to the ACP


However, when trying to use User based rules on the ACP, they don't hit.

On User Activity and Active sessions, VPN authenticated users show up, but on Connection Events, the Initiator User is shown as Unknown.


Using, we see that the user-to-ip mapping exists on the FMC but not on the FTD.


Is User Agent needed for this scenario? (User based rules ONLY for VPN authenticated users)

Not set at the moment.


Thanks in advance,


3 Replies 3

Marvin Rhoads
VIP Community Legend VIP Community Legend
VIP Community Legend

The User Agent (which is being deprecated) or ISE/ISE-PIC is required to get the mapping of user to IP address. Realm integration and the LDAP/AD authentication by themselves won't do that for purposes of using identity in your Access Control Policy.

Hi Marvin,


Thanks for the quick reply.

Is that the case, even if we are talking about AnyConnect users and not users that log on PCs?


The user to IP mapping should be known by the FMC, as it is the one performing the authentication and assigning the IP address from the VPN pool to the remote user.

I can also see the mapping on FMC, using the script.


Also, please check below (How to User VPN Identity for User-id Based Access Control Rules):


Please let me know your thoughts and provide any supporting documentation if you are aware of one.


Thanks in advance,


I had a similar issue with users showing as unknown.
You need to install the user agent to collect identities for use in identity based policies.
Authentication from VPN won’t necessarily bring that user into events.
From what I remember, the user agent correlates login and log off events from the DC, and that’s how it can display users with IPs.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers