Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1392
Views
0
Helpful
6
Replies

ASA5506-X w/ Firepower - Remote Access VPN for specific AD Groups

Go to solution
Stefano Pilla
Level 1
Level 1

‎09-30-2020 04:16 AM

Hi there,

 

Model: ASA5506-X with FIREPOWER Services

FDM Version: 6.2.3 (83)

 

I'm trying to configure a Remote Access VPN to allow only AD users in a specific group to use the RA VPN. I don't have a RADIUS Server (and I would like to avoid to setup one if possibile) so I'm using the AD Realm Object where I have as base DN  CN=Users, DC=domain, DC=local . With this configuration all the Users in the "Users" OU are able to connect

 

I created a group "VPN" in the "Users" OU and changed the base DN to CN=VPN, CN=Users, DC=domain, DC=local but the users in this group were not able to connect. So as a test I created a new OU called "VPN" and after moving the test users to this OU they were able to connect so it seems that the Firewall can only read OUs.

 

I have checked through the various configuration guides and it seems that the LDAP attribute memberOf is what I need but I can't find a way to configure it on the FDM (WebUI and CLI)

 

Anybody have any idea on how to configure this firewall via FDM to read the AD groups and not the OUs?

 

Thank you

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎09-30-2020 07:00 AM

Hi @Stefano Pilla 

FTD 6.2.3 had very limited RAVPN features and the ASA 5506 doesn't support 6.3 or above. In FTD 6.5 you can configure LDAP attribute settings via API.

 

I think you alternative is to setup a RADIUS server or replace the ASA 5506 with a FPR1010 and run 6.5 or 6.6.

 

HTH

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Rami Ibrahim
Level 1
Level 1

‎09-30-2020 04:37 AM - edited ‎09-30-2020 04:41 AM

Hi Stefano,

 

 What is the kind of RA VPN you are using?

 Is it clientless SSL or Anyconnect Full tunneling?

 

Regards,

Romio

0 Helpful

Go to solution
Stefano Pilla
Level 1
Level 1
In response to Rami Ibrahim

‎09-30-2020 05:12 AM

Hi Romio,

 

It is AnyConnect RA VPN.

 

Thank you

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎09-30-2020 06:13 AM

If the ASA running Firepower - below guide should help you :

 

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/214283-configure-anyconnect-ldap-mapping-on-fir.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Stefano Pilla
Level 1
Level 1
In response to balaji.bandi

‎09-30-2020 06:47 AM

Hi @balaji.bandi ,

 

thank you for the response. I already checked that document but the configuration is through FMC. Our customer doesn't have FMC and they use FDM to configure the firewall.

 

Thank you

0 Helpful

Go to solution
Rob Ingram
VIP
VIP

‎09-30-2020 07:00 AM

Hi @Stefano Pilla 

FTD 6.2.3 had very limited RAVPN features and the ASA 5506 doesn't support 6.3 or above. In FTD 6.5 you can configure LDAP attribute settings via API.

 

I think you alternative is to setup a RADIUS server or replace the ASA 5506 with a FPR1010 and run 6.5 or 6.6.

 

HTH

0 Helpful

Go to solution
Stefano Pilla
Level 1
Level 1
In response to Rob Ingram

‎09-30-2020 07:05 AM

Thank you Rob.

 

yeah, I noticed that there's a very limited RA VPN features on the 6.2.3. I also noticed that there's not way to set up local users and/or add more than 1 Identity Object.

 

I will have the customer to decide what they want to do as I was suspecting this was an ASA5506-X limitation.

 

Thank you all for the help.

0 Helpful
Customers Also Viewed These Support Documents