Solved: Re: RAVPN: Choose group-policy based on AD group membership

matty-boy · ‎09-16-2018

Hi all,

I'm replacing a customer's ASAs with FTDs and I've hit a couple of snags.

The customer is currently using clientless SSL VPN for contractors to access a small subset of internal services.

Contractors authenticate their SSL VPN session to the ASA local user database whereas normal employees authenticate to active directory. Each user group has a separate group policy and alias.

FTDs do not support local users or clientless VPN so I have to use AnyConnect for the contractors and somehow assign different access policies depending on their AD group membership. I could be wrong, but I don't think FTD supports this natively?

I don't think the Firepower User Agent will achieve what I need either.

So I'm thinking the only solution is to use a RADIUS server like ISE or ACS or something and use that to send down an AV pair to the FTD to influence the chosen group policy.

Any thoughts?

Many thanks in advance,

Matt.

Rahul Govindan · ‎09-16-2018

You are correct. To use LDAP group-membership info for group-policy assignment, you need the LDAP attribute map feature. This works on the ASA, but supported not the FTD yet. For FTD, you would have to use Radius server to set the group-policy name via the Radius Class attribute. If you are using AD, the easiest option would be to use the Network Policy Server functionality in the Windows server. The NPS settings would be the same as given in this doc for the ASA: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/117641-config-asa-00.html

View solution in original post

Rahul Govindan · ‎09-17-2018

This could because of the tunnel-group the user ends up connecting to. If you have that option checked, the user sees the option to connect to all the tunnel-groups that have an alias set. IF you do not have this checked, the url "vpn.domain.com", usually takes you directly to the DefaultTunnelGroup. This may be why your authentication is failing.

View solution in original post

Rahul Govindan · ‎09-16-2018

You are correct. To use LDAP group-membership info for group-policy assignment, you need the LDAP attribute map feature. This works on the ASA, but supported not the FTD yet. For FTD, you would have to use Radius server to set the group-policy name via the Radius Class attribute. If you are using AD, the easiest option would be to use the Network Policy Server functionality in the Windows server. The NPS settings would be the same as given in this doc for the ASA: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/117641-config-asa-00.html

matty-boy · ‎09-17-2018

Hi Rahul,

Thank you for confirming my suspicions. I got it working with a Cisco ACS server doing the RADIUS duties but I stumbled on another 'funny' though....

As long as "Allow Users to select connection profile while logging in" is checked and an Alias exists and is enabled under the connection profile it works fine. But if I disable or delete the alias or I uncheck the "Allow Users to select connection profile while logging in" option, authentication fails? No evidence in the logs of the FTD talking to the ACS server at all. Weird.

Cheers!

Matt.

Rahul Govindan · ‎09-17-2018

This could because of the tunnel-group the user ends up connecting to. If you have that option checked, the user sees the option to connect to all the tunnel-groups that have an alias set. IF you do not have this checked, the url "vpn.domain.com", usually takes you directly to the DefaultTunnelGroup. This may be why your authentication is failing.

matty-boy · ‎09-17-2018

You were right! Again! Adding an alias URL did the trick!

Thank you Rahul! :-)