Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
193
Views
0
Helpful
2
Replies

Dynamic VPN by AD user groups?

Veddy
Level 1
Level 1

‎10-16-2025 05:50 AM

All,

We have what seems like a normal use case that I can't seem to sort. User connects to VPN using Secure Client. We permit access to company website and company teams/outlook after posture clears. After, if they want access to other company resources, they submit a ticket to our company website and get a new AD group which should give them additional access. I have the FMC doing a realm sync to pull AD groups but it seems I can only do this every hour. I can swing every 15 minutes or if there is an API the website can call to do a sync that would be ideal.

The GUI only permits a sync every hour, the API will allow some things with the integration but don't seem to have one for forcing a sync. Is this even possible? I'd take other solutions as well but my limiter is I need to use URL filtering to permit the outlook/teams backend authentication websites. URL filtering only seems possible from Access Control Policies. Depending on the ticket the user puts in should filter their traffic to different resources.

I already pitched removing the whole ticket idea and just letting users reach the resources they've been authorized to reach but management gave me a hard veto. Again I'll take other solutions, I've got Cisco Secure Client, FTD, FMC, ISE, and Windows AD working together for the URL filtering and permits for my initial connection, I just can't make the leap to privileged access more often than once an hour. I've even dug around in the FMC looking for whatever function the "Synchronize Now" button in the GUI calls since if I can trigger it at will this whole thing falls into place. I'm at my wits end.

Labels:
0 Helpful
2 Replies 2

Veddy
Level 1
Level 1
In response to Rob Ingram

‎10-16-2025 10:08 AM

I have gone through the various realm related APIs and I think I've got them working, just tried again to make sure I'm not losing my mind. I can pull my realm groups using them but they just pull whatever is currently in the sync as opposed to causing a new sync. I've toyed with the idea of using the createrealm API to build and tear down the realm every time a users group changes but that feels kind of insane and begging for something to break.

0 Helpful
Customers Also Viewed These Support Documents