This video features a step by step walk through of configuring Cisco AnyConnect on FTD managed by FMC. Timestamps included for certificate installation, Access Control, Licensing, NAT, and Deployment failures.
Time 6:12, you added CA Certificate (paste certificate here) . Is this the Root CA Certificate (from the CA authority which I'll send CSR to sign it) you added?
This is the CA certificate that will ultimately sign your identity certificate. For instance if you had this structure:
It would be the SubCA1 that you would put here. Similar to the ASA when we authenticate a trustpoint with the CA, then import the ID cert to the same trustpoint. It is always the CA that directly signs the certificate in the full certificate chain.
Please let me know if that clarifies it for you, or if you have any additional questions.
I have a question about licensing: at minute 2:51 you mention that the amount of Anyconnect (Plus or Apex) to purchase has to match the number of users connecting to the FTD VPN endpoint Firewall but when an FTD is enabled to use Anyconnect license on the FMC then the number of these licenses decreases only by 1 and not by the amount of users actually connected, did I get this right?
So please let me know if these assumptions are correct:
if we have 1000 users concurrently connecting on 5 different FTDs we should purchase 1000 Anyconnect licenses
When we enable our FTDs to use Anyconnect license through FMC then the number of used Anyconnect licenses should decrease in our Smart Account to 995
if these 5 FTDs are for example Firepower 2110 that allows 1500 max remote access users and we have in total more than 1000 users connected (say 2000 between all the FTDs), the licenses will not reflect the number of users connected and so they will be allowed anyways
Obviously, to be compliant, we have to purchase the additional 1000 Anyconnect licenses (I think Cisco allows a grace period of 40 days to be compliant) but there this is not reflected in the license count in the Smart Account
Also
if all the statements above are correct, what is the license count usage for HA FTDs ? is it one license applied for HA pair or is for each individual FTD?
Anyconnect licenses are to be purchase for concurrent users or for individual users? I mean if we have 1000 users in total but only 500 are connecting concurrently to our remote access vpn, do we need to purchase 1000 licenses or 500 ?
To answer the last two questions, when you apply a license to an HA pair, it is one license count per box. So it should decrease by 2 licenses, one for each FTD device.
Note: The number of licenses needed for AnyConnect Plus or Apex is based on all the possible unique users that may use any Cisco AnyConnect service. The exact number of Plus or Apex licenses should be based on the total number of unique users that require the specific services associated with each license type.
You should purchase licenses based on the total number of possible unique users that are authorized by your company to access AnyConnect. If you have 10000 employees in your company, but only 1000 would ever be in a position to work remotely and need AnyConnect access, then you would purchase 1000 licenses.
Please let me know if this clears things up, or if you have any additional questions.
I would like to ask if these statement are valid also for ASA code and if with FTD there is an actual difference of feature set technically enabled between Anyconnect Plus and Apex.
For example Anyconnect APEX is necessary for ISE posture but with ASA code there is no practical check where this is enforced, as far as I know only in ISE there is a check for the ISE Apex license.
Is this the same behavior for FTD code or for example an Anyconnect APEX license needs to be enabled in FTD for posture to be processed by an anyconnect client in remote access to the FTD device with an ISE in the backend?
The check is always done on ISE, whether the headend is the ASA or the FTD box. You need the APEX/PLUS license to use the AnyConnect client on the ASA/FTD but ISE posture license check is done on the ISE side, not the headend side.
I was referring to any license enforcement that would be different on FTD code from ASA code but apparently no difference.
Thanks again for your help
PS: I may have some comments on FTD features I would like to share but I guess this is not the right thread for that, if by any chance I could get in touch here or directly with you about it let me know
Another question : I am running a test with FTD and remote access and I would like to use a wildcard certificate on the outside interface, is it possible to do it with FMC?
I am failing to see how to apply a wildcard certificate (that I imported on the internal certificates objects) to the remote access outside interface, at least through the wizard there is no option to do so
EDIT:
I just realized my error, to load a wildcard certificate, or any certificate to use on a outside interface for remote access on the firewalls all what is needed is to select
Enrollment type : PKCS12 File
Then upload the certificate along with the private key and the passcode.
It looks like you have it sorted out now. Let me know if you are still having issues.
I will have a full series on certificate on ASA, FTD, FDM, IOS XE, and IOS routers in the coming weeks. I will include PKCS12, Self-signed, Manual, and SCEP enrollment along with just about anything you can think of relating to certs and Cisco devices.
Additionally, we will be having an event to discuss some of the other questions you had about FTD on Monday.
i am using ISE to do authentication and ad/ldap flexconfig to map group policies.
when i deployed it, it encounterd the same error like you first deploy.
error:ERROR:aaa-server GROUP [AD] does not exist
the AD is the realm name which associated with my AD server.
i checked the config in cli. and found below already there.
aaa-server ISE-raidus (outside) host 10.79.247.23
I see you used the radius server to do authentiation and realm/ad to map ldap groups for vpn use.
that means, you have aaa-server rtpvpn-nps host xxxx and aaa-server rtpvpn-ad host 14.26.135.50 in the same ravpn FTDTraining
is that supported
thank you Jianfeng Qi
Getting Started
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:
