Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
579
Views
0
Helpful
3
Replies

Anyconnect VPN with FTD and ISE (permissions set by user group)

cnegrete
Level 1
Level 1

‎05-10-2020 02:17 PM

Hi everyone. I can't find a concrete answer to this one.

I have a Firepower 2130 with FTD, and an ISE server and I need to assign different permissions per user group.

The only approach I've seen that's supported is by sending an attribute from ISE that controls the Group Policy on the Firewall.

Question time:

1. Is this the only method? I saw DACL but apparently it's only supported on ASA. Isn't there an option to send the "Access List Filter" as defined on the Group Policy?

2. Whatever the method that works, what should be the av-pair that I need to send from ISE to FTD?

 

Thanks for your time.

 

Labels:
0 Helpful
3 Replies 3

Rob Ingram
VIP
VIP

‎05-10-2020 02:57 PM

Hi,

DACLs are supported on FTD, certainly from 6.4 onward.

You would just need to define multiple DACLs, reference these in unique Authorisation Profiles. In the policy set define multiple Authorisation rules, match on the unique AD groups and apply the unique Authorsation Profile.

 

Alternatively you could use TrustSec SGTs, apply a unique SGT per user AD group (it's more complex than DACLs however). Reference guide here.

 

HTH

0 Helpful

cnegrete
Level 1
Level 1
In response to Rob Ingram

‎05-10-2020 03:29 PM

So I would need to define the DACLs in ISE, right? It kinda defeats the purpose of having all my objects and groups in FMC...
The firewall guys won't like this approach =(
0 Helpful

Rob Ingram
VIP
VIP
In response to cnegrete

‎05-10-2020 03:37 PM

Yes, DACLs are defined on the ISE.

If you still want the Firewall Admins to maintain the ruleset, then the alternative method using TrustSec SGTs will allow this. The SGTs are defined in ISE, and associated to the user upon sucessful authorisation. The actual ruleset is still controlled on the FMC, the ACP rules just reference the SGT as source object.
0 Helpful
Customers Also Viewed These Support Documents