Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2563
Views
5
Helpful
2
Replies

FMC, AnyConnect, and RADIUS - assign conection profile?

Go to solution
wildbluesky
Level 1
Level 1

‎08-30-2018 08:57 AM - edited ‎02-21-2020 09:27 PM

Setting up remote access VPN from FMC - I'm authenticating to my Windows NPS server ok, and I can use 3076 / 85 to group lock the user to the right connection profile.  I want to take it one step further and disable the ability to choose a connection profile and just assign it based on AD group membership.  I can't find how to do that with FMC.  Can anyone point me in the right direction?  Bonus points if you can also explain how to use DHCP server and assign the scope based on connection profile.  I remember doing it with ASA.... FMC is a little different and I'm trying to catch up with it.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni

‎08-30-2018 09:57 AM - edited ‎08-30-2018 09:58 AM

Do you mean assigning a group-policy based on AD membership? You cannot choose Connection profile based on AAA credentials because that is where the Firepower/ASA defines what auth mechanism to use. But you can get the same behavior with assigning different group-policies to users based on their AD credentials. A few things to do this and I believe you already have major portions completed.

 

1) Choose a tunnel-group/connection profile where you want all users to fall into

2) Assign a group-url for that CP and set it to "https://<FQDN>"

3) Find the default group-policy assigned to the CP. Under that group-policy settings, set simulataneous logins to 0.

4) Create different group-policies for different sets of users.

5) On NPS, create conditions to Assign Radius Class attribute as "Group-policy-Name". The conditions can be based on your AD group membership.

6) Inside the group-policy, add scope under the general tab

dhcp-scope.PNGThe flow be as follows:

 

User goes to https://vpn[dot]domain[dot]com. No dropdown or list to choose from. They enter their AD credentials. Based on AD credentials, NPS returns Access-Accept with group-policy name set as Radius Class atribute. FTD then uses this info and automatically maps this user to that group-policy. Based on the group-policy, the DHCP scope and other options are applied to the user. If the user is not part of any of the NPS conditoons, you can send a Reject from NPS or send an accept with no Class attribute. They will fall into the Default group policy for that CP and be dropped (simultaneous logins =0).

 

Hope this helps. 

View solution in original post

2 Replies 2

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni

‎08-30-2018 09:57 AM - edited ‎08-30-2018 09:58 AM

Do you mean assigning a group-policy based on AD membership? You cannot choose Connection profile based on AAA credentials because that is where the Firepower/ASA defines what auth mechanism to use. But you can get the same behavior with assigning different group-policies to users based on their AD credentials. A few things to do this and I believe you already have major portions completed.

 

1) Choose a tunnel-group/connection profile where you want all users to fall into

2) Assign a group-url for that CP and set it to "https://<FQDN>"

3) Find the default group-policy assigned to the CP. Under that group-policy settings, set simulataneous logins to 0.

4) Create different group-policies for different sets of users.

5) On NPS, create conditions to Assign Radius Class attribute as "Group-policy-Name". The conditions can be based on your AD group membership.

6) Inside the group-policy, add scope under the general tab

dhcp-scope.PNGThe flow be as follows:

 

User goes to https://vpn[dot]domain[dot]com. No dropdown or list to choose from. They enter their AD credentials. Based on AD credentials, NPS returns Access-Accept with group-policy name set as Radius Class atribute. FTD then uses this info and automatically maps this user to that group-policy. Based on the group-policy, the DHCP scope and other options are applied to the user. If the user is not part of any of the NPS conditoons, you can send a Reject from NPS or send an accept with no Class attribute. They will fall into the Default group policy for that CP and be dropped (simultaneous logins =0).

 

Hope this helps. 

Go to solution
wildbluesky
Level 1
Level 1
In response to Rahul Govindan

‎08-30-2018 12:59 PM

That's exactly what I needed - thank you!

I think I'm still missing something simple with my scope selection, but it does use group-policy based on AD group membership now.

0 Helpful
Customers Also Viewed These Support Documents