Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
3776
Views
0
Helpful
8
Replies

LDAP Attribute Map on FTD

O.Zang
Level 1
Level 1

‎01-21-2019 02:44 AM - edited ‎03-12-2019 05:33 AM

Hello Expert,

 

I have configured LDAP Attribute Map on FTD for Anyconnect VPN. but it is not working. 

Does someone know how to make it work please?


FMC 6.2.3.7

FTD 6.2.3.7

Regard, 

Zanga

1 person had this problem
Labels:
0 Helpful
8 Replies 8

Marvin Rhoads
Hall of Fame
Hall of Fame

‎01-21-2019 04:44 AM

@O.Zang,

 

You can only use LDAP for basic authentication, not authorization.

 

"LDAP/AD authorization and accounting are not supported for Remote Access VPN."

 

Reference:

 

https://www.cisco.com/c/en/us/td/docs/security/firepower/630/configuration/guide/fpmc-config-guide-v63/firepower_threat_defense_remote_access_vpns.html#reference_xby_dml_wy

 

As of the current release 6.3, you'd need to use an external RADIUS server (like Cisco ISE) as an intermediary to provide granular user authorization based on LDAP attributes.

0 Helpful

O.Zang
Level 1
Level 1
In response to Marvin Rhoads

‎01-21-2019 07:19 AM

Hello Marvin Rhoads,

Thanks for your reply.

Can I use microsoft radius for that ?

Regards,

Zanga

0 Helpful

AJ Cruz
Level 3
Level 3

‎03-24-2020 03:48 PM

Check out this guide: https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/214283-configure-anyconnect-ldap-mapping-on-fir.html

 

I got it working for a customer I believe was running 6.3.

A different customer that was running 6.4 would throw an error trying to run the "aaa-server" command.

 

Apparently there's a bug (that's what TAC said); as soon as we changed "ldap attribute-map" to "lda attribute-map" (leave off the "p") and "aaa-server" to "aaa-serve" (leave off the "r") it took the FlexConfig.

0 Helpful

kapydan88
Level 4
Level 4
In response to AJ Cruz

‎04-06-2020 02:19 AM

Hello.

Was it possible to implement a similar scheme for connecting remote users? I try to configure it according to this article, but without success...

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to kapydan88

‎04-06-2020 04:28 AM

Can you share your details? Such as: version of Firepower, your current Flexconfig, what results you are seeing.

0 Helpful

kapydan88
Level 4
Level 4
In response to Marvin Rhoads

‎04-06-2020 04:55 AM - edited ‎04-06-2020 05:01 AM

Cisco Firepower 1140 Threat Defense 6.4.0 

FMC 6.4.0.7

in this particular case LDAP - realm name

10.191.10.57 - ad dc

ldap.PNG

 

Group10 and Group192 - group policy name

ldap2.PNG

0 Helpful

kapydan88
Level 4
Level 4
In response to kapydan88

‎04-06-2020 09:06 AM

Got it. Screen with correct settings.

aaa-server <LDAP/AD_Realm_name> host <AD Server IP>
ldap-attribute-map <LDAP_Map_for_VPN_Access>

exit

 

in this case LDAP - its realm name

 

flex aaa srv.PNG

 

lda attribute-map <LDAP_Map_for_VPN_Access>
map-name memberOf Group-Policy
map-value memberOf CN=APP-SSL-VPN Managers,CN=Users,OU=stbu,DC=cisco,DC=com  LabAdminAccessGroupPolicy
map-value memberOf CN=cisco-Eng,CN=Users,OU=stbu,DC=cisco,DC=com VPNAccessGroupPolicy

 

flex attr map.PNGdevice flex.PNG

 

0 Helpful

AJ Cruz
Level 3
Level 3
In response to kapydan88

‎04-06-2020 09:12 AM

Sorry yes correct that is the realm name.

Also one funny thing I noticed. If you have to go back and add a group later the deploy fails with an error that the attribute map already exists.

I put this at the beginning of my attribute map:

no lda attribute-map <LDAP_Map_for_VPN_Access>

 

With that, any time I update the map and deploy, it removes the map and re-creates it. I no longer received errors when I try to update the attribute map.

0 Helpful
Customers Also Viewed These Support Documents
Top