Re: Firepower Management - Cisco Any Connect Connections

NYS_MSP_Guy · ‎06-14-2019

We are currently deploying FTD's to their respective sites with each having their own domain name, and domain on the Firepower Power Management Center. We currently have the FMC's Domain pointing to their site Radius server and the VPN connections set up.

Our Problem: We want to be able to configure two IPv4 pools, which each having their corresponding VPN Profile that point to Radius for authentication. Radius is our problem, we can only point Radius to the IP of the FMC, and only 1 rule on the NPS with allowing the AD group authentication.

Where the heck do I find write ups or instructions on how to allow different aliases, with different authentications to NPS or any other format?

Literally, nothing but Cisco guides, but no Radius or LDAP guides for making it all work.

Marvin Rhoads · ‎06-15-2019

I'm not quite sure if you want to:

a. use multiple RADIUS servers (which you can do from FMC and then select them as appropriate for a given remote access VPN policy) or

b. something else.

Can you explain a bit further?

NYS_MSP_Guy · ‎06-15-2019

Marvin,

We currently have 5 FMC's, each with their own domains and FTD's attached to them, each FTD is on it's own separate domain, so each FTD in theory would need it's own radius server as the global FMC is hosted in a data center.

My problem, is that you cannot add the NPS rule to an active radius server WITHOUT moving the rule to the top, which then breaks every other rule below. You cannot also appropriately.

Problem 2, we want to use two radius servers, for obvious redundancy, we then want to have 2 aliases one for one group and one for another on the VPN side. You cannot apply an Alias to a Radius Rule which looks at an AD group to drop them into their own pool.

Marvin Rhoads · ‎06-16-2019

It sounds like your issue is more with your RADIUS server than it is with Firepower. When you say "NPS rule" are you talking about Microsoft Network Policy Server?

If Cisco ISE were your RADIUS server, it can generally discriminate on username, OU membership, connection profile etc. to determine what authorization result to return.

NYS_MSP_Guy · ‎06-17-2019

Marvin,

Thanks for the information on ISE, I will check that out, unfortunately I was going to be under the impression that you could create two "Aliases" for VPN connection, then be able to discriminate with Radius who can log into each "Alias". I assume, you could split the two aliases off to two Radius servers, with potentailly two different VPN profiles, but then it's convoluted at that point. I am also at the whim of the customer, so being able to edit configurations and servers is only on their downtime, so building this all at home is going to be my next option. I wish there was more documentation on this, but also understand FMC seems to be on it's way out the door and isn't very straight forward if you're not 100% Cisco.

Marvin Rhoads · ‎06-17-2019

Each connection profile (known as "tunnel-group" in the running-config) you add in FMC can have a unique RADIUS authentication server. You can also assign them each unique aliases and VPN profiles. Additionally, your connection profiles can use separate or share common group policies.

Within your RADIUS server authorization results (or at least within Cisco ISE or the older ACS - not sure about Microsoft NPS) we can change the assigned connection profile dynamically based on attributes such as the username, AD group membership etc.