Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1289
Views
2
Helpful
5
Replies

All active directory users can Remote Access VPN

Go to solution
Herald Sison
Level 3
Level 3

‎05-26-2022 11:21 PM

Hi All,

 

i have configured remote access vpn via FMC 7.0.1.1 with FTD 7.0.1.1 ASA5508X.

 

all is working fine except that all users can access RAVPN which is not expected even if i already created a specifc group that can access the anyconnect vpn and targeted it with LDAP Attrubute Map.

 

i want to limit the anyconnect VPN access to only 1 group of employees.

 

Kindly advise what is missing on my config.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP
In response to Herald Sison

‎05-27-2022 10:00 AM

Yes, with an additional Value Map you can assign all Domain-Users a group-policy without VPN-access.

View solution in original post

5 Replies 5

Go to solution
Karsten Iwen
VIP
VIP

‎05-27-2022 12:21 AM

I assume you have configured an LDAP Attribute map with one value map for your intended user-Group? Then you can add a second value map that maps the domain users to a group-policy without VPN-permission.

0 Helpful

Go to solution
Herald Sison
Level 3
Level 3
In response to Karsten Iwen

‎05-27-2022 09:27 AM

Hi Sir, This is what i did below. is this the correct way?

 

 

1.jpg

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to Herald Sison

‎05-27-2022 10:00 AM

Yes, with an additional Value Map you can assign all Domain-Users a group-policy without VPN-access.

Go to solution
Herald Sison
Level 3
Level 3
In response to Karsten Iwen

‎05-27-2022 11:20 AM - edited ‎05-27-2022 11:21 AM

Hi Sir, thank you it worked but what i did is i made a security group and add all domain users that does not belong to the allowed vpn users which is more inconvenient in my part since we are 680 manpower here so i cant add it 1 by 1. 

 

And i also tried to target from the LDAP map the group domain users which is the default but it goes back to my problem which is all users can access the VPN and i even added the group domain users to the security group that i made but still the same problem. 

 

So for now the solution that works for me is to create a new security group then add all domain users that are restricted to use the VPN.

 

is there another way to make it more convenient? Here is my screen cap below

1.jpg

Go to solution
Herald Sison
Level 3
Level 3
In response to Karsten Iwen

‎05-28-2022 07:51 AM

Hi Sir, i found a workaround.

 

I assigned the NO_ACCESS_GP group policy I made which prevents users to access vpn to the default policy of the Tunnel Group that I made which is the Employees tunnel group then i target the VPN_Users security group from AD in the ldap attribute maps and use the RAVPN_GP so users that belong to that ldap attribute map are the ones who are allowed to access the VPN.

1.jpg2.jpg

0 Helpful
Customers Also Viewed These Support Documents