07-26-2013 04:50 AM - edited 03-11-2019 07:17 PM
Hello all,
I have set up our Cisco ASA 8.4(4)1 so that it works as an Identity Firewall. Everything is going fine, except the following:
I've made an ACL so that only allowed users access a few FTP servers. The thing is that those users belong to an Active Directory group. Using the AD group, the ACL is not being matched and therefore, is not working.
However, if I change that AD group and try only my AD user, it does work.
I have other ACLs matching AD groups and are working fine.
So my question is:
Is there any limitation to those AD groups?
What can I check to know why my user (that belongs to that AD group) is not being allowed while ACL includes AD group?
Any help will be appreciated.
Thanks in advance.
Best regards,
Igor
07-29-2013 01:09 AM
Any idea of how could I try to solve this?
Thanks.
08-02-2013 01:44 AM
I've made another test. I've changed the group that matches the ACL and it works.
The differences between groups are:
- They're located in different OUs, but both are accessible.
- One has 6 users and the other many more.
Is there any kind of restriction on how many users a group can contain so that ASA is able to check it?
Other group that does not work is a group (Global_FTP) containing 3 different groups, being one of them that other group (FTP_OfficeXX).
Any help will be appreciated.
Thanks!!!
09-30-2013 08:12 AM
Hello again everybody,
I was wondering if maybe because of summer vacations this post was missing to some of you.
Anyone has any idea of why ACL does not match when using an old and with more members group?
Thanks in advance.
Best regards,
Igor
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide