Re: Firepower Remote Access VPN limit to AD group

Michael Proctor · ‎10-25-2019

Is there any good documentation out there to be able to limit users with access to the VPN to a specific group? Currently my system will allow ANY AD user to connect which is less than ideal.

Thanks

Rob Ingram · ‎10-25-2019

Hi,
You can use a RADIUS server to authorise only users in a specific AD group.

How are you authenticating the users?
What version of FTD are you running?
Are you using FDM or FMC to manage the FTD?

Michael Proctor · ‎10-25-2019

I am using an AD realm with the user agent for AD. FTD version 6.2.3.13 and I am using FMC.

Marius Gunnerud · ‎10-25-2019

Here is a decent document on what you are trying to do.

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/214283-configure-anyconnect-ldap-mapping-on-fir.html

--
Please remember to select a correct answer and rate helpful posts

Herald Sison · ‎05-28-2022

Try this one. i just found out a minute ago and it worked pretty well you can also try this one.

first create a no access group policy with 0 simul session per user and create an access group policy

I assigned the NO_ACCESS_GP group policy I made which prevents users to access vpn to the default policy of the Tunnel Group that I made which is the Employees tunnel group then i target the VPN_Users security group from AD in the ldap attribute maps and use the RAVPN_GP so users that belong to that ldap attribute map are the ones who are allowed to access the VPN.