Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
295
Views
5
Helpful
7
Replies

Cisco FPR 7.2.5 ACP filter user per AD/LDAP users

faruk.zaimovic
Level 1
Level 1

‎04-19-2024 03:10 AM

Hello ,

I have cisco FPR 7.2.5 managed by FMC.

i want to make ACP rule and filter group user from AD/LDAP.  For example one group from AD have FULL internet access other is Limited Internet access.

Can i make it without ISE, ISE-PIC. It is enough only have make integration with AD/LDAP and create Identity policy or i have to go with ISE-PIC.

Does anybody have same experience, please share with us?

Thank you very much.

0 Helpful
7 Replies 7

Aref Alsouqi
VIP
VIP

‎04-19-2024 03:22 AM

Yes you can do that with ISE-PIC, please check this video of how to integrate ISE with the FMC, and also this post of mine that might be helpful:

Firepower Management Center (FMC) - User Agent transition to ISE-PIC (youtube.com)

Integrate FMC with ISE using pxGrid | Blue Network Security (bluenetsec.com)

faruk.zaimovic
Level 1
Level 1
In response to Aref Alsouqi

‎04-19-2024 03:31 AM

thank you vey much. 

It is possible make without ISE-PIC.

0 Helpful

Aref Alsouqi
VIP
VIP
In response to faruk.zaimovic

‎04-19-2024 03:38 AM

I don't believe so as @Ken Stieers also mentioned. Back in the day we used to have another option which was a little software we used to install on Windows to share the user-IP mapping, but that was deprecated and replaced with ISE.

Ken Stieers
VIP
VIP
In response to Aref Alsouqi

‎04-19-2024 03:43 AM

That was the Firepower User Agent.

When they deprecated it they gave away IasEPiC licenses for a while. I'm not sure if that's still the case.


WSA/ASA used to have the CDA, which did the same thing... Umbrella VAs do it too.

Aref Alsouqi
VIP
VIP
In response to Ken Stieers

‎04-19-2024 03:52 AM

Yeah that's right, I'd created a post about it while ago, I didn't know about the free licenses though.

Cisco Firepower User Agent | Blue Network Security (bluenetsec.com)

0 Helpful

Ken Stieers
VIP
VIP

‎04-19-2024 03:36 AM

You need some way to tell the firewall what user is on what IP...

That is ISE-PIC or ISE.

MHM Cisco World
VIP
VIP

‎04-19-2024 04:26 AM

https://rayka-co.com/lesson/cisco-ftd-network-discovery-policy/

This can be done by active nmap'

The active nmap can use in ACP to make user access network resource according to reuslt of scan

MHM

0 Helpful
Customers Also Viewed These Support Documents