LDAP Attribute Maps on FTD with FDM

rfranzke · ‎03-22-2022

Trying to configure my new to me FTD 2130 devices for AnyConnect VPN remote access sessions. Coming from ASA 5515-X devices and Running 7.0.1-84 code on my FTD's. This is our only FTD device so I am configuring it using FDM. I am finding mixed information on the use of LDAP attribute maps with AnyConnect on FTD. This link says LDAP attribute maps are not supported on FTD with AnyConnect:

https://www.cisco.com/c/en/us/td/docs/security/firepower/630/configuration/guide/fpmc-config-guide-v63/firepower_threat_defense_remote_access_vpns.html#reference_xby_dml_wy

Specifically:

Unsupported Features of AnyConnect
The only supported VPN client is the Cisco AnyConnect Secure Mobility Client. No other clients or native VPNs are supported. Clientless VPN is not supported for VPN connectivity; it is only used to deploy the AnyConnect client using a web browser.

The following AnyConnect features are not supported when connecting to an FTD secure gateway:

LDAP Authorization (LDAP Attribute Map).

Then this link:

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/214283-configure-anyconnect-ldap-mapping-on-fir.html

Seems to indicate someone got it to work by working around a bug in the Cisco code. This was using FMC however.

When I try and add a flexconfig using FDM I get a CLI block error and cannot configure it. This seems to support the notion that LDAP authorization is not supported on FTD with AnyConnect.

Can someone confirm that LDAP authorization is actually not a supported feature of AnyConnect on FTD? The above link seems to indicate there is some way to use radius for this sort of LDAP authorization.

Also, it seems client customization is also not supported. I tried for an entire day to upload some image files for customizing my users clients to no avail. Never could get the copy commands to work. Can someone confirm that client customization is not supported for AnyConnect on FTD via any configuration method. The unsupported features link seems to indicate this as well:

AnyConnect Customization and Localization support. The FTD device does not configure or deploy the files necessary to configure AnyConnect for these capabilities.

Any help with the above would be appreciated. Thanks in advance.

rfranzke · ‎03-31-2022

So since not a single reply to this I reached out to Cisco TAC. For anyone possibly coming across this in the future, I was finally able to get the attribute maps configured. Its available as part of the API, but not currently available as part of the FDM interface. I am told by Cisco TAC it is on the roadmap to add to FDM, but as of today its not available. I used postman using JSON requests to slowly configure attribute maps and tie them to an LDAP realm. The realm configuration is available in FDM, but for whatever reason there is no UI configuration available for the maps themselves.

This would have taken me 2 minutes in the ASA CLI, but without experience with JSON as a language or experience with postman, it instead took me 4 days to configure. I am not sure I would call that progress. I gotta be honest here, so far FTD seems like a real mess, and seems to me to be one of the more half-baked products Cisco has put out. I am not sure why Cisco has so much trouble with providing solid UI's for their firewall products when other vendors have everything right there in the UI. ASA with the ASDM was the same way and it took a ,long time before it became useful. But there was always a CLI available so was always workable. 4 days to configure one simple attribute map really is not time I can afford to give. I know, I know, FMC is available, and likely has the feature as part of it, but launching an entire VM just to be able to configure a single FTD set is overkill to me. Makes sense for a whole fleet of these things. But I have one. Its a no go for me. Anyway hth.

p.f.laviano · ‎07-14-2022

Hi rfranzke.
I have the same problem. I was able to use API to configure attribute map and the associatione with the realm server. If I watch the running config all seems OK, but when the VPN user try to connect, he can choice the tunnel group and if the choice is wrong, he is authenticate in any case.
Could you help me to eliminate the choice of tunnel group on anyconnect and to correctly associate users with only one tunnel group?

Marvin Rhoads · ‎07-14-2022

@p.f.laviano when configuring the VPN remove any group aliases in the connection attributes. It's the aliases that are populating the dropdown box.

https://www.cisco.com/c/en/us/td/docs/security/firepower/70/fdm/fptd-fdm-config-guide-700/fptd-fdm-ravpn.html#id_88961

p.f.laviano · ‎07-15-2022

Thank You Marvin fr your answer.
I deleted the aliases in the connection attribute but the result is the same. In old ASA, to obtain the result, I had to unchecked the "Allow user to select connection profile on the login page" on connection profiles menu.
I red I can do the same witch FMC on the document you sent me, but i'm not able ti do this with FDM.
Could you help me?
Thank you in advance.

rfranzke · ‎08-11-2022

Not sure if this is still an issue for you. So I just deployed my first FTD setup last night. Despite some oddness with the SSL bits for AnyConnect, the LDAP/attribute mapping worked perfectly. Thanks to some documentation from Cisco TAC, I set up things this way which works and does not allow the user to select anything in the client. Everything is managed by the attribute maps. For my environment, I have two basic Anyconnect address pools I use which are assigned using two different group policies. Here is what I ended with to make this work.

1. I created a single AnyConnect VPN connection profile. I added a single IP pool to this profile.

2. I created three group policies: One called RAUsers, one called RAAdmins, and one called "NOAccess". For the NOAccess policy I set the simultaneous logins to 1 (FDM wouldn't allow me to set it to 0). I assigned this policy as the default group policy for the Anyconnect Connection Profile I created earlier. Each group policy has a different IP pool assigned to it (which overrides any configured in the connection profile itself).

3. I created an LDAP attribute map using Postman via JSON queries. This was a tedious endeavor as I am not familiar with JSON enough to make it easy for me. Using the API explorer I cobbled together the JSON posts I needed to create the attribute maps. The maps map a particular AD user group to a particular group policy when the client connects. The FTD assigns the policy to the client based on this mapping. If the user is not part of either AD group, the NoAccess policy gets assigned effectively not allowing VPN access to more than one user.

4. The client does not show me any tunnel group options because there is only one. Everything gets assigned via the policy not the tunnel group.

I am not sure if this is helpful to you or not. Perhaps you need multiple tunnel groups for some reason. I used to run two to assign different IP pools but realized I could set this using the group policies instead. So single connection profile (tunnel group) but multiple group policies. A lot cleaner and more what I want anyway. Was tough to get going but its been working great all day today. Hope this helps you some.

p.f.laviano · ‎08-12-2022

Thank you, rfranzke,
Your contribution is appreciated by me.
I resolved the problem too, in a way similar ti yours
I used one tunnel-group too, but in my solution the client continues show me the tunnel group options but now is not a problem.
My problems was the associations between cisco attributes and LDAP attributes. Now I understood that the user have to configure under the "USERS" directory in LDAP and the groups must have the same name of the group policy. After these changes all functions.
P.S.: you say "I set the simultaneous logins to 1. FDM wouldn't allow me to set it to 0". Its true, but I resolved unchecking the flag.
Thank you. Have a good day.

thuy.hoang · ‎10-25-2022

Hi @rfranzke ,

I also stuck in the LDAP mapping and attribute in FDM configuration. Could you please do me a favor to share the json syntax for reference? Appreciated

p.f.laviano · ‎10-25-2022

Hi thuy.hoang.

This is my Json commands for LDAP attribute mapping:

{

"version": "dpynuucqo55jf",

"name": "department",

"ldapAttributeMaps": [

{

"ldapName": "memberOf",

"ciscoName": "GROUP_POLICY",

"valueMappings": [

{

"ldapValue": "CN=XXX-Group,CN=Users,DC=pippi,DC=local",

"ciscoValue": "XXX-Group-Policy",

"type": "ldaptociscovaluemapping"

},

{

"ldapValue": "CN=YYY-Group,CN=Users,DC=pippo,DC=local",

"ciscoValue": "YYY-Group-Policy",

"type": "ldaptociscovaluemapping"

},

{

"ldapValue": "CN=ZZZ-Group,CN=Users,DC=pippo,DC=local",

"ciscoValue": "ZZZ-Group-Policy",

"type": "ldaptociscovaluemapping"

}

],

"type": "ldapattributemapping"

}

],

"ldapAttributeToGroupPolicyMappings": [],

"id": "d2d6ef6e-02b9-11ed-b352-530659d352a0",

"type": "ldapattributemap",

"links": {

"self":
"https://10.10.10.1/api/fdm/v6/object/ldapattributemaps/d2d6ef6e-02b9-11ed-b
352-530659d352a0"

}

}

I hope this is helpful for you.

thuy.hoang · ‎10-25-2022

Hi @p.f.laviano ,

Thanks much for your information.

Just a question, how do I get these following information (id and self link):

"id": "???",

"type": "ldapattributemap",

"links": {

"self":
"???"

}

Sorry because I am not familiar with API.

Thanks.

p.f.laviano · ‎10-25-2022

Hi thuy.hoang

In the API explorer section, you have to select "
<> LdapAttributeMap" and
choose the GET button. Then you have to choose the "TRY IT OUT!" button.

You'll have the response body:

At the end of the script you'll find the informations you are looking for
(ID and self).

rfranzke · ‎08-12-2022

>> you say "I set the simultaneous logins to 1. FDM wouldn't allow me to set it to 0". Its true, but I resolved unchecking the flag.

What flag are you speaking of here?

>> Now I understood that the user have to configure under the "USERS" directory in LDAP and the groups must have the same name of the group policy.

My AD groups and group policy names do not match. I put the groups in an OU in AD where I want them, I set up the LDAP configuration to use a baseDN that the OU is contained in when it searches. Then specify the path to the group in the attribute map.

None of my clients prompt for a tunnel group. I am not sure I understand why yours do. Can you explain some more?