Re: Assign VPN group policy on FTD-2110 managed by FMC

bhallman · ‎06-15-2022

We are moving from an ASA5545-X to an FTD-2110 (in FTD mode). On the ASA, we can define the VPN group policies per user in the LOCAL user manager. Is there a place to do this on the FTD? I have not been able to locate this, and I am trying to prevent needing to allow the groups to be seen by the end users in AnyConnect. I have attached a picture of how the ASDM looked. When I go to System>Integration>Realms, I can open the realm and see the users, but I can only change the passwords. I tried creating a new Remote Access VPN Policy to perhaps use different Realms, but it only allows me to assign one policy per device.

It is likely something simple I am missing. Any help would be greatly appreciated.

Marvin Rhoads · ‎06-16-2022

You can use LDAP Attribute Mapping with FMC-managed FTD devices (ideally running 7.0+ since it's in the GUI thre vs needing a Flexconfig). It won't work with local users but it can assign AD users automatically to a defined group policy based on their AD group or OU membership.

There are some older how-to guides for using it with ASAs and the same logic applies on FTD. I've found this one to be particularly useful:

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91831-mappingsvctovpn.html

bhallman · ‎06-18-2022

Thank you for the information. It is unfortunate that Cisco decided to remove that function from the LOCAL AAA and force the use of LDAP. It was nice only have to worry about 1 box, but I will have to create a VM for some type of LDAP server. Are there any suggestions for an LDAP server, besides Windows? We have an MSP with vmWare and Microsoft. If I use MS, then I have to pay a license per user. If I use anything else, I only have to pay for RAM.