Solved: FMC\FTD Remote Access VPN, RADIUS vs AD vs LDAP

Jack G · ‎02-18-2021

Hello,

Usually we use RADIUS and it works fine, but users want to change there AD passwords. It looks like I can switch from RADIUS to AD and follow this document to restrict the connections to a AD group: Configure AnyConnect LDAP mapping on Firepower Threat Defense (FTD) - Cisco

I also see 6.7 supports LDAP, is there an additional benefit of using LDAP instead of AD and RADIUS? LDAP will be more challenging since we still have to migrate from user agent to ISE-PIC before we can upgrade to 6.7

Lastly, if we want to use Duo for MFA, are we stuck with RADIUS and will use password management?

Appreciate and feedback regarding the pro and cons of each authentication method!

Rob Ingram · ‎02-18-2021

@Jack G

If you use LDAP or RADIUS you can dynamically apply a different group-policy/settings to users, you cannot do that with AD.

If you use ISE for RADIUS you can perform posture, you cannot do that with AD or LDAP.

If the user connects to the VPN tunnel, regardless of AD/LDAP/RADIUS, they have domain connectivity so they can CTRL-ALT-DEL and change their password.

If you want to use Duo for MFA, you could just point to Duo Proxy and let it communicate with AD and Duo cloud.

View solution in original post

Rob Ingram · ‎02-18-2021

@Jack G

If you use LDAP or RADIUS you can dynamically apply a different group-policy/settings to users, you cannot do that with AD.

If you use ISE for RADIUS you can perform posture, you cannot do that with AD or LDAP.

If the user connects to the VPN tunnel, regardless of AD/LDAP/RADIUS, they have domain connectivity so they can CTRL-ALT-DEL and change their password.

If you want to use Duo for MFA, you could just point to Duo Proxy and let it communicate with AD and Duo cloud.