Re: Cisco FDM RA VPN and Group Policies

AhmadZ · ‎09-06-2022

Dear All,

I have a Cisco FDM, where RA VPN is configured. I created several connection profiles with different group policies assigned to each. The problem is that when creating a user, it's type is considered as RA VPN User, so it can access any connection profile.

Is there anyway to lock that user to a specific connection profile. Since I don't want that specific user for example to have access to the whole network, so there is a a different connection profile with a specific group policy.

Thanks in advance!

Best Regards,

Rob Ingram · ‎09-06-2022

@AhmadZ when using FDM local management the features are limited compared to using FMC. Use a RADIUS server, all users connect to the same connection profile and receive a different group policy from the RADIUS server based on their AD group membership.

AhmadZ · ‎09-06-2022

and how is this achieved? can you explain more please, technical wise

Rob Ingram · ‎09-06-2022

@AhmadZ return the RADIUS attribute value 25 - which would specify the exact name of the group-policy.

If using ISE as the RADIUS server - configure an authorization profile with "Advanced Attribute Settings" -> Class = ou=<GROUP-POLICY-NAME>. Where <GROUP-POLICY-NAME> is the group-policy name configured on the FTD.

Split the users in to different AD groups, when a user from one group connects they match a rule and you return the group-policy. When another user connects and is a member of a different AD group, they match a different rule and return another group-policy.