cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1005
Views
0
Helpful
8
Replies
Highlighted
Beginner

LDAP Attribute Map on FTD

Hello Expert,

 

I have configured LDAP Attribute Map on FTD for Anyconnect VPN. but it is not working. 

Does someone know how to make it work please?


FMC 6.2.3.7

FTD 6.2.3.7

Regard, 

Zanga

8 REPLIES 8
Highlighted
Hall of Fame Guru

Re: LDAP Attribute Map on FTD

@Zanga Ouattara,

 

You can only use LDAP for basic authentication, not authorization.

 

"LDAP/AD authorization and accounting are not supported for Remote Access VPN."

 

Reference:

 

https://www.cisco.com/c/en/us/td/docs/security/firepower/630/configuration/guide/fpmc-config-guide-v63/firepower_threat_defense_remote_access_vpns.html#reference_xby_dml_wy

 

As of the current release 6.3, you'd need to use an external RADIUS server (like Cisco ISE) as an intermediary to provide granular user authorization based on LDAP attributes.

Highlighted
Beginner

Re: LDAP Attribute Map on FTD

Hello Marvin Rhoads,

Thanks for your reply.

Can I use microsoft radius for that ?

Regards,

Zanga

Highlighted
Beginner

Re: LDAP Attribute Map on FTD

Check out this guide: https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/214283-configure-anyconnect-ldap-mapping-on-fir.html

 

I got it working for a customer I believe was running 6.3.

A different customer that was running 6.4 would throw an error trying to run the "aaa-server" command.

 

Apparently there's a bug (that's what TAC said); as soon as we changed "ldap attribute-map" to "lda attribute-map" (leave off the "p") and "aaa-server" to "aaa-serve" (leave off the "r") it took the FlexConfig.

Highlighted
Beginner

Re: LDAP Attribute Map on FTD

Hello.

Was it possible to implement a similar scheme for connecting remote users? I try to configure it according to this article, but without success...

Highlighted
Hall of Fame Guru

Re: LDAP Attribute Map on FTD

Can you share your details? Such as: version of Firepower, your current Flexconfig, what results you are seeing.

Highlighted
Beginner

Re: LDAP Attribute Map on FTD

Cisco Firepower 1140 Threat Defense 6.4.0 

FMC 6.4.0.7

in this particular case LDAP - realm name

10.191.10.57 - ad dc

ldap.PNG

 

Group10 and Group192 - group policy name

ldap2.PNG

Highlighted
Beginner

Re: LDAP Attribute Map on FTD

Got it. Screen with correct settings.

aaa-server <LDAP/AD_Realm_name> host <AD Server IP>
ldap-attribute-map <LDAP_Map_for_VPN_Access>

exit

 

in this case LDAP - its realm name

 

flex aaa srv.PNG

 

lda attribute-map <LDAP_Map_for_VPN_Access>
map-name memberOf Group-Policy
map-value memberOf CN=APP-SSL-VPN Managers,CN=Users,OU=stbu,DC=cisco,DC=com  LabAdminAccessGroupPolicy
map-value memberOf CN=cisco-Eng,CN=Users,OU=stbu,DC=cisco,DC=com VPNAccessGroupPolicy

 

flex attr map.PNGdevice flex.PNG

 

Highlighted
Beginner

Re: LDAP Attribute Map on FTD

Sorry yes correct that is the realm name.

Also one funny thing I noticed. If you have to go back and add a group later the deploy fails with an error that the attribute map already exists.

I put this at the beginning of my attribute map:

no lda attribute-map <LDAP_Map_for_VPN_Access>

 

With that, any time I update the map and deploy, it removes the map and re-creates it. I no longer received errors when I try to update the attribute map.