Solved: Re: Anyconnect FTD

sadist001 · ‎11-04-2021

Hello,

We have two Cisco 1140 in HA. Also on them are configured Anyconnect VPN with Active Directory authentication. Problem is when user is not member of any group he can connect to Cisco Anyconnect. How I can fix this issue?

Rob Ingram · ‎11-04-2021

I understand that, read the guide. The purpose of the configuration in the guide is to restrict access if the user is not a member of the group. You create a NOACCESS group policy and set the Simultaneous Login Per User to 0 - meaning they cannot login if not a member of a group.

View solution in original post

Rob Ingram · ‎11-04-2021

@sadist001 what version are you running, what management (local or fmc)?

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/214283-configure-anyconnect-ldap-mapping-on-fir.html

sadist001 · ‎11-04-2021

FMC, 6.6.4

Rob Ingram · ‎11-04-2021

@sadist001 you'll have to use the link above I provided to push out the ldap settings to control the user access.

From version 6.7+ this is built into the GUI, so you could use the built in LDAP attribute maps

https://www.cisco.com/c/en/us/support/docs/network-management/remote-access/216313-configure-ra-vpn-using-ldap-authenticati.pdf

sadist001 · ‎11-04-2021

Thanks for your reply.

Problem is authentication. Filtering using AD Groups works. But if user is not member any group he still can connect to Anyconnect.

Rob Ingram · ‎11-04-2021

I understand that, read the guide. The purpose of the configuration in the guide is to restrict access if the user is not a member of the group. You create a NOACCESS group policy and set the Simultaneous Login Per User to 0 - meaning they cannot login if not a member of a group.