09-30-2020 04:16 AM
Hi there,
Model: ASA5506-X with FIREPOWER Services
FDM Version: 6.2.3 (83)
I'm trying to configure a Remote Access VPN to allow only AD users in a specific group to use the RA VPN. I don't have a RADIUS Server (and I would like to avoid to setup one if possibile) so I'm using the AD Realm Object where I have as base DN CN=Users, DC=domain, DC=local . With this configuration all the Users in the "Users" OU are able to connect
I created a group "VPN" in the "Users" OU and changed the base DN to CN=VPN, CN=Users, DC=domain, DC=local but the users in this group were not able to connect. So as a test I created a new OU called "VPN" and after moving the test users to this OU they were able to connect so it seems that the Firewall can only read OUs.
I have checked through the various configuration guides and it seems that the LDAP attribute memberOf is what I need but I can't find a way to configure it on the FDM (WebUI and CLI)
Anybody have any idea on how to configure this firewall via FDM to read the AD groups and not the OUs?
Thank you
Solved! Go to Solution.
09-30-2020 07:00 AM
FTD 6.2.3 had very limited RAVPN features and the ASA 5506 doesn't support 6.3 or above. In FTD 6.5 you can configure LDAP attribute settings via API.
I think you alternative is to setup a RADIUS server or replace the ASA 5506 with a FPR1010 and run 6.5 or 6.6.
HTH
09-30-2020 04:37 AM - edited 09-30-2020 04:41 AM
Hi Stefano,
What is the kind of RA VPN you are using?
Is it clientless SSL or Anyconnect Full tunneling?
Regards,
Romio
09-30-2020 05:12 AM
Hi Romio,
It is AnyConnect RA VPN.
Thank you
09-30-2020 06:13 AM
If the ASA running Firepower - below guide should help you :
09-30-2020 06:47 AM
Hi @balaji.bandi ,
thank you for the response. I already checked that document but the configuration is through FMC. Our customer doesn't have FMC and they use FDM to configure the firewall.
Thank you
09-30-2020 07:00 AM
FTD 6.2.3 had very limited RAVPN features and the ASA 5506 doesn't support 6.3 or above. In FTD 6.5 you can configure LDAP attribute settings via API.
I think you alternative is to setup a RADIUS server or replace the ASA 5506 with a FPR1010 and run 6.5 or 6.6.
HTH
09-30-2020 07:05 AM
Thank you Rob.
yeah, I noticed that there's a very limited RA VPN features on the 6.2.3. I also noticed that there's not way to set up local users and/or add more than 1 Identity Object.
I will have the customer to decide what they want to do as I was suspecting this was an ASA5506-X limitation.
Thank you all for the help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide