cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
596
Views
0
Helpful
1
Replies

Firepower/Anyconnect Active Directory authentication working for some users and not others

EMP
Level 1
Level 1

We have a Firepower 2110 setup to provide VPN with Anyconnect. We have Active Directory setup as an Identity Source, have configured the Remote Access VPN setup, setup an Identity Policy for Passive detection and then some Access Control rules to only allow network access if user is a member of the VPN_Users Active Directory Group.

 

This works and the VPN authenticates and the Access Control policy grants access to the network.

However we have some new users that have been created in Active Directory who are members of the VPN_Users Active Directory Group. These users can login to the VPN but do not get network access, which says an issue with the Access Control rule to me.

 

I'm confused now as running a ldap debug from the diagnostic cli shows the authentication succeeding, but the users still do not have access via the Access Control policy. When i edit the policy and browse Users, i cannot see any of the new users that have been created.

 

Leads me to believe that the download of users/groups from Active Directory isnt working or isnt realtime.

 

Is there a way to force the FDM to redownload the users/groups from Active Directory?

Any other thoughts on what to check as its working for some users and not others?

1 Reply 1

EMP
Level 1
Level 1

Strangely a reload of the firewall seems to have fixed this. Good that its working but not sure a restart should be required