cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2741
Views
5
Helpful
3
Replies

AnyConnect Dynamic ACL on Firepower Threat Defense

TJ-20933766
Spotlight
Spotlight

Goal: Filter AnyConnect VPN connections on Firepower 2120 (managed by FMC) in a similar way that ASA's use DAP. Users authenticate to a Microsoft Network Policy Server (NPS).

 

Problem: I've found some admins talk about sending dynamic ACLs via the RADIUS server to Firepower (https://www.reddit.com/r/networking/comments/f29r2o/alternative_to_dynamic_access_policy_dap_on_cisco/). Assuming that this means to send an attribute with the value of an ACL name to the firepower, I tried creating an extended access list in FMC and used the attribute "Filter-Id" with the value of the ACL name but it would never get applied to new AnyConnect sessions.

 

Upon further inspection of Cisco documentation (https://www.cisco.com/c/en/us/td/docs/security/firepower/630/configuration/guide/fpmc-config-guide-v63/firepower_threat_defense_remote_access_vpns.html), attribute 87 should be used for out-bound filtering. Removed the "Filter-Id" attribute and replaced with 87 using the same value but no luck.

 

Is anyone doing this? If so, would very much appreciate some guidance.

1 Accepted Solution

Accepted Solutions

TJ-20933766
Spotlight
Spotlight

I was able to find a work around and thought this could come in handy for someone else

1. Create a Realm under System > Integration > Realm. This is the connection to Active Directory so that the firewall can see the security group membership of the remote access VPN user.

2. Link the realm to the RADIUS server by going to Objects > Object Management > RADIUS Server Group and select the newly created Realm in step 1 in the "Realms" dropdown. This is easy to overlook and caused me hours of banging my head wondering why this wasn't working. We are using RADIUS because of the Duo Authentication Proxy provides the 2FA so Duo is our primary authentication server for the Connection Profile.

3. Create an Identity Policy by going to Policies > Access Control > Identity. You can find a video by Cisco on how to do this here: https://www.cisco.com/c/en/us/td/docs/security/firepower/fmc_videos/63/cisco_fmc_create_identity_policy_and_rule.html. This identity policy is a step needed to tie the Realm created in step 1 with the Access Control Policy

4. Go to the Access Control Policy by going to Policies > Access Control > Access Control and edit the existing policy. Assign the Identity Policy you created in the previous step by clicking on the hyperlink to the right of the words "Identity Policy:". Choose the policy and save.

5. Create rules in the Access Control Policy (ACP) specifically for the remote access VPN connections. The key here is to use the "Users" tab to reference the Active Directory security group and the kinds of access you want users in those security groups to have.

6. Go to Devices > VPN > Remote Access then go to the Access Interfaces tab. Make sure that "Bypass Access Control policy for decrypted traffic (sysopt permit-vpn)" is not checked. This forces the AnyConnect traffic to use the ACP rules created in the previous step.

 

That should do it! Now you can assign different levels of access through the remote access VPN just by assigning users to security groups. In my scenario, we had a contractor's VPN where they could only access the HVAC system, HR was only able to access HR systems, and IT had much broader access but not allowed into the HR systems. I hope this helps someone else out there.

 

-Tyson Joachims

View solution in original post

3 Replies 3

TJ-20933766
Spotlight
Spotlight

I was able to find a work around and thought this could come in handy for someone else

1. Create a Realm under System > Integration > Realm. This is the connection to Active Directory so that the firewall can see the security group membership of the remote access VPN user.

2. Link the realm to the RADIUS server by going to Objects > Object Management > RADIUS Server Group and select the newly created Realm in step 1 in the "Realms" dropdown. This is easy to overlook and caused me hours of banging my head wondering why this wasn't working. We are using RADIUS because of the Duo Authentication Proxy provides the 2FA so Duo is our primary authentication server for the Connection Profile.

3. Create an Identity Policy by going to Policies > Access Control > Identity. You can find a video by Cisco on how to do this here: https://www.cisco.com/c/en/us/td/docs/security/firepower/fmc_videos/63/cisco_fmc_create_identity_policy_and_rule.html. This identity policy is a step needed to tie the Realm created in step 1 with the Access Control Policy

4. Go to the Access Control Policy by going to Policies > Access Control > Access Control and edit the existing policy. Assign the Identity Policy you created in the previous step by clicking on the hyperlink to the right of the words "Identity Policy:". Choose the policy and save.

5. Create rules in the Access Control Policy (ACP) specifically for the remote access VPN connections. The key here is to use the "Users" tab to reference the Active Directory security group and the kinds of access you want users in those security groups to have.

6. Go to Devices > VPN > Remote Access then go to the Access Interfaces tab. Make sure that "Bypass Access Control policy for decrypted traffic (sysopt permit-vpn)" is not checked. This forces the AnyConnect traffic to use the ACP rules created in the previous step.

 

That should do it! Now you can assign different levels of access through the remote access VPN just by assigning users to security groups. In my scenario, we had a contractor's VPN where they could only access the HVAC system, HR was only able to access HR systems, and IT had much broader access but not allowed into the HR systems. I hope this helps someone else out there.

 

-Tyson Joachims

Was anyone else able to make this solution work for them. I have agency machines that connect via anyconnect. We want to implement access to RVPN only to the agency domain machines. Rest of them deny access. I am hoping this feature is available soon in Cisco FMC if it already is please direct me. Thanks.

dkornel01
Level 1
Level 1

I'm still trying to set it up with freeipa and freeradius.

Everything works fine, fmc can read the groups from ipa, ftd can authenticate the ravpn users, but i also have a problem with point nr 2. : under radius server group in the 'Realms' drop down nothing appears, could someone guide me, what did i wrong? fmc version 6.6.1