11-12-2020 04:29 PM - edited 11-12-2020 04:32 PM
Hi all,
we have setup up a AD realm and a identity police. We want to apply ACLs to allow RA VPN connections for some users to some destinations.
The AD realm connection is working according to the test function. When we create an ACL, switch to user tab, the AD realm connection doesn't show the user and groups of the AD.
The AnyConnect is working, logon with AD credentials of a user is working fine.
Is there something special to do to get the users and groups from AD realm?
11-12-2020 06:33 PM
11-13-2020 02:08 AM
The Firepower is managed in FDM, is there an option to download? I haven't found anything like that before.
11-14-2020 10:19 AM
How did you configure your identity policy?
11-14-2020 12:43 PM
I have tried various variants. The last one I tried was:
RAVPN_Hosts-192.168.10.0 is the network assigned to VPN clients. Inside_Network-192.168.0.0 is the default internal network.
11-15-2020 10:42 PM
I think you won't see the users/groups till you deploy the changes, did you deploy the changes and still don't see them? Regarding the identity policy you created, it looks good to me. The FTD will use AnyConnect to get the users identity and create the user to IP mapping. Once that is created, the FTD can then enforce the security rules you configured for those users.
11-25-2020 01:12 AM - edited 11-25-2020 01:29 AM
Hello!
I have a similar problem with this Version.
Since upgrade to 6.7 group changes are no longer synchronized. I can change the users group in active directory but it is not reflected in the FTD Device (ASA 5508-X with FTD 6.7 and FDM - no FMC). This results of not applied ACLs.
- I have created new users and they are able to login, but their AD groups are completely ignored.
- When I change the group memberships of an older user, it is also not reflected and the ACLs are not applied.
- If I create a new group in the active directory, I cannot find it in the ACL dialoge. Even if I wait 24h for a automatically sync.
tried to remove and add the realm again to force a new sync. Applied a deployment and reboted the device.
...but nothing helps.
New employees are actually not able to work in home office, because of this. I need a fix asap.
What can I do? Any suggestions?
11-30-2020 05:02 AM
Has anybody created a bug with Cisco and may provide the Bug ID? This way we can vote for it.
11-30-2020 06:25 AM
I have an open case since 27th of November. I hope the engineer will have a solution as soon as possible. I don't have a bug ID yet.
12-03-2020 02:42 PM
Until today Cisco engineers were not able to fix the issue nor treated it as a bug.
Today we did some debugging in CLI with debug ldap 255. There are not errors, connection to Active Directory is fine.
It's very annoying that it takes weeks to get a solution, the assigned engineer changed almost every day because no response happened or was not available.
12-04-2020 12:50 AM
This is annoying. Yesterday I forwarded this bug to our service partner to help creating a bug in Ciscos bug tracker. I will keep you posted.
You started with 6.7.0?
I made an upgrade from 6.6 and until then it was working well. I have not changed anything, just updated to 6.7 and it stopped working. There is a bug, definitely!
12-04-2020 05:49 AM
I started with 6.7., we did not use the Firepower before because of missing features.
12-08-2020 03:37 PM - edited 12-08-2020 03:40 PM
I have received feedback from Cisco engineer today:
I have recreated the issue on our lab and also, I was able to apply a simple workaround and download the users and groups on the ACP rule, users tab
We also have defect for this behavior, which is tracked under CSCvu67638, is it not customer visible yet but we are working on that.
Workaround:
Make a small change on the realm configuration this will trigger a new user and group data download as part of the deployment.
Unfortunately the workaround doesn't work here.
12-09-2020 01:23 AM
Amazing! A step in the direction of a solution.
I got a similar response to restart the component. Maybe this helps as a workaround in your situation?
admin@host$ sudo su
root@host$ pmtool disablebyid adi
root@host$ pmtool enablebyid adi
But I already restarted the whole device and tried the change the realm config to force a resync. Nothing helped. I have no idea whey they had success with their "workaround".
12-09-2020 04:30 AM
For me this workaround didn't work too. I am curious how long it will take to get a fixed update.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide