group-lock on Firepower

nickliako · ‎11-18-2020

Hello,

I have multiple group policies for AnyConnect and on some of the I would like my users not to be able to choose a connection profile, much like the same way this is accomplished with the group-lock attribute in ESA.

Unfortunately, I cannot see something similar in FMC which manages my Firepower appliances.

Keep in mind that group policies are mapped to AD Groups (LDAP Mapping).

Can this be accomplished somehow without the use of an external Radius Server (ISE etc) ?

Thanks

cmarin · ‎03-20-2024

I have exactly the same issue now.

The anyconnect users are able to watch all the aliasses available and the FMC/FTD is not able to limit like the ASA did woth the group-lock value

is it necessary to do it on the ISE only?

tvotna · ‎03-20-2024

It depends on how you do authentication and authorization. E.g. you can use AD/LDAP and assign group-policy directly to each user by mapping some LDAP attribute to group-policy name. For example, this article maps memberOf to group-policy, but you can use other attributes from LDAP schema too:
https://www.cisco.com/c/en/us/support/docs/network-management/remote-access/216313-configure-ra-vpn-using-ldap-authenticati.html

In this case you can have single tunnel-group (connection profile) and don't need group-lock feature.

Or you can map some other LDAP attribute to Tunnel-Group-Lock value (https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/740/management-center-device-config-74/vpn-remote-access.html).

Or you can achieve the same with RADIUS.

tvotna · ‎03-20-2024

For LOCAL authentication this feature hasn't been implemented:

CSCvz10754 ENH: RAVPN(FMC): Option to add attributes for Local user