Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
445
Views
2
Helpful
4
Replies

Firepower - local user database and different VPN profiles

Micccc4
Level 1
Level 1

ā€Ž11-21-2023 03:17 AM

Hi Everyone,

I am i process of migration from legacy ASA FW to the new FP3110 (the preparation phase).

With regards to Remote VPN, customer is currently using  local user database on ASA, where different users are locked to different VPN Groups/Profiles. With that different users get access to different resources on the Inside network.

The long term plan is to setup ISE and integrate Firewpower towards it, but for now we are trying to achieve similar to ASA setup but for Firepower. From what I see this can be achieved with Realm integration. BUT the Remote VPN Policy can be linked to only one Realm. And Realm contains just a list of users and passwords. In other words, I am missing the option where one set of users could me 'locked' to one VPN Profile, and other set of users to another VPN Profile.

Can someone confirm if this is achievable on Firepower? If so - then how?  

As always - thanks in advance.

Labels:
0 Helpful
4 Replies 4

Marvin Rhoads
Hall of Fame
Hall of Fame

ā€Ž11-21-2023 05:51 AM

The most common way I have seen is to migrae the users into AD and then use an LDAP attribute map. An example can be found here:

https://www.cisco.com/c/en/us/support/docs/network-management/remote-access/216313-configure-ra-vpn-using-ldap-authenticati.html

I have also used a Dynamic Access Policy (DAP) with vpn-filters.

In either case, it's really strongly advised to get the users into an enterprise directory and not keep using a local database.

MHM Cisco World
VIP
VIP

ā€Ž11-21-2023 06:19 AM

I check there is option 

Local realm in which your anyconnect database is local to ftd not need use radius server.

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/217352-configure-ssl-anyconnect-with-local-auth.html

Hope this what you looking for.

Micccc4
Level 1
Level 1

ā€Ž11-21-2023 07:21 AM

Thanks to both of you @MHM Cisco World  and @Marvin Rhoads .
@MHM Cisco World - i know that document but it describes exactly what I managed to achieve - one Realm with set of users where all are 'locked' to one VPN Profile. But I dont see the option of spliting these users acrros several VPN profiles

@Marvin Rhoads - yes, I know external directory should be the way to go at it looks like we will have to establish it. The thing is that it will delay the migration which was already delayed quite a lot due to other reasons. But indeed - to be honest I dont see the other way to go..

0 Helpful

Micccc4
Level 1
Level 1

ā€Ž11-27-2023 03:19 AM

To summarize, before I close this topic Apparently FTD managed with FMC, for a local user database on firewall, does not support 'VPN Group Lock' that could allow to 'lock' each user to different VPN tunnel (something that was possible on ASA). The best way and absolutely recommended way to that is to point RA VPN defined on FTD towards external enterprise directory (AD, ISE, Azure..). In our case we are looking for the use of ISE.

0 Helpful
Customers Also Viewed These Support Documents