Anyconnect Azure SAML Configuration

Karol Kot · ‎12-08-2021

Hi,

I'm having problem with correct configuration of Remote Access VPN with Azure SAML on Firepower Appliance. How do I manage to create access control rule based on that specific user that I'm connecting through Microsoft?. I've tried to set up realms with AD but it doesn't work. When I reconfigure remote access to authenticate through AD, rules based on user works without problem. I've notice that, when I connect throught Microsoft portal, user that I'm connecting from isn't listed in "Active sessions" and in logs it shows that traffic is blocked and the "initiator user" is "not found" (without decryption) or "Pending user" (with decryption enabled).

My question is, is it even possible to create access control rules based on users that i'm connecting through Microsoft portal?

Karol Kot · ‎12-10-2021

No one?

Marvin Rhoads · ‎12-12-2021

Realm integration with on premises AD and an identity policy (whether the source is ISE or User Agent) won't help when you are using Azure AD for authentication.

You should be picking up the user identity though from the VPN authentication. Do the usernames show up in the cli show command "show vpn-sessiondb anyconnect"?

Karol Kot · ‎12-14-2021

Yes, they do, but not in 'active sessions' in FMC.