Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
764
Views
5
Helpful
3
Replies

Does FTD support authorization-required in tunnel.group ?

Go to solution
ipagliani
Level 1
Level 1

‎02-01-2023 10:11 PM

Ciao,
with AnyConnect with ASA using SAML I usually configure:
  • AuthC with SAML
  • AuthZ with ISE
Because I want to be sure that the AuthZ process goes successfully in order to connect I use the command authorization-required:
tunnel-group MFA general-attributes

authorization-server-group ISE

accounting-server-group ISE

authorization-required

tunnel-group MFA webvpn-attributes

authentication saml
Is this command supported on FTD (FMC and/or FDM managed)?

 

Otherwise, I have to configure a default-group with no access profile:
  • A default-group-policy with vpn-filter DENY ACL (user still connected.. No good experience)
  • A default-group-policy with vpn-simultaneous-logins 0
Any suggestion ?

 

Thanks
Labels:
2 Accepted Solutions

Accepted Solutions

Go to solution
ipagliani
Level 1
Level 1
In response to balaji.bandi

‎02-05-2023 05:43 AM

 Ciao, let me explain a little more. In a configuration where authentication and authorization process is splitter, for example authentication with SAML and authorization with RADIUS, during my testing lab I see that if the authentication works fine but authorization reply with an access reject, an Anyconnect  user is able to connect with the default group-policy configured on FTD. So  it's not mandatory for the authorize-only config to replay with ACCESS-ACCEPT. 

With ASA I configure the authorization-required command to force a good response for the authorization. But I didn't find it in FTD.

Thanks

 

View solution in original post

0 Helpful

Go to solution
ipagliani
Level 1
Level 1

‎02-08-2023 07:26 AM

Resolved !!!

Screen Shot 2023-02-08 at 16.21.17.png

View solution in original post

0 Helpful
3 Replies 3

Go to solution
ipagliani
Level 1
Level 1
In response to balaji.bandi

‎02-05-2023 05:43 AM

 Ciao, let me explain a little more. In a configuration where authentication and authorization process is splitter, for example authentication with SAML and authorization with RADIUS, during my testing lab I see that if the authentication works fine but authorization reply with an access reject, an Anyconnect  user is able to connect with the default group-policy configured on FTD. So  it's not mandatory for the authorize-only config to replay with ACCESS-ACCEPT. 

With ASA I configure the authorization-required command to force a good response for the authorization. But I didn't find it in FTD.

Thanks

 

0 Helpful

Go to solution
ipagliani
Level 1
Level 1

‎02-08-2023 07:26 AM

Resolved !!!

Screen Shot 2023-02-08 at 16.21.17.png

0 Helpful
Customers Also Viewed These Support Documents