FTD 1010 / 6.7: Connection to AD realm and ACL/identity policy doesn't seem to work

mcgiga · ‎11-12-2020

Hi all,

we have setup up a AD realm and a identity police. We want to apply ACLs to allow RA VPN connections for some users to some destinations.

The AD realm connection is working according to the test function. When we create an ACL, switch to user tab, the AD realm connection doesn't show the user and groups of the AD.

The AnyConnect is working, logon with AD credentials of a user is working fine.

Is there something special to do to get the users and groups from AD realm?

Mohammed al Baqari · ‎11-12-2020

Hi,

After adding the real and importing users/groups, you need to hit on
download users/groups. Only after that you will see them in ACP > User tab.

**** please remember to rate useful posts

mcgiga · ‎11-13-2020

The Firepower is managed in FDM, is there an option to download? I haven't found anything like that before.

Aref Alsouqi · ‎11-14-2020

How did you configure your identity policy?

mcgiga · ‎11-14-2020

I have tried various variants. The last one I tried was:

RAVPN_Hosts-192.168.10.0 is the network assigned to VPN clients. Inside_Network-192.168.0.0 is the default internal network.

Aref Alsouqi · ‎11-15-2020

I think you won't see the users/groups till you deploy the changes, did you deploy the changes and still don't see them? Regarding the identity policy you created, it looks good to me. The FTD will use AnyConnect to get the users identity and create the user to IP mapping. Once that is created, the FTD can then enforce the security rules you configured for those users.

Leon1 · ‎11-25-2020

Hello!

I have a similar problem with this Version.

Since upgrade to 6.7 group changes are no longer synchronized. I can change the users group in active directory but it is not reflected in the FTD Device (ASA 5508-X with FTD 6.7 and FDM - no FMC). This results of not applied ACLs.

- I have created new users and they are able to login, but their AD groups are completely ignored.

- When I change the group memberships of an older user, it is also not reflected and the ACLs are not applied.

- If I create a new group in the active directory, I cannot find it in the ACL dialoge. Even if I wait 24h for a automatically sync.

tried to remove and add the realm again to force a new sync. Applied a deployment and reboted the device.

...but nothing helps.

New employees are actually not able to work in home office, because of this. I need a fix asap.

What can I do? Any suggestions?

Leon1 · ‎11-30-2020

Has anybody created a bug with Cisco and may provide the Bug ID? This way we can vote for it.

mcgiga · ‎11-30-2020

I have an open case since 27th of November. I hope the engineer will have a solution as soon as possible. I don't have a bug ID yet.

mcgiga · ‎12-03-2020

Until today Cisco engineers were not able to fix the issue nor treated it as a bug.

Today we did some debugging in CLI with debug ldap 255. There are not errors, connection to Active Directory is fine.

It's very annoying that it takes weeks to get a solution, the assigned engineer changed almost every day because no response happened or was not available.

Leon1 · ‎12-04-2020

This is annoying. Yesterday I forwarded this bug to our service partner to help creating a bug in Ciscos bug tracker. I will keep you posted.

You started with 6.7.0?

I made an upgrade from 6.6 and until then it was working well. I have not changed anything, just updated to 6.7 and it stopped working. There is a bug, definitely!

mcgiga · ‎12-04-2020

I started with 6.7., we did not use the Firepower before because of missing features.

mcgiga · ‎12-08-2020

I have received feedback from Cisco engineer today:

I have recreated the issue on our lab and also, I was able to apply a simple workaround and download the users and groups on the ACP rule, users tab

We also have defect for this behavior, which is tracked under CSCvu67638, is it not customer visible yet but we are working on that.

Workaround:
Make a small change on the realm configuration this will trigger a new user and group data download as part of the deployment.

Unfortunately the workaround doesn't work here.

Leon1 · ‎12-09-2020

Amazing! A step in the direction of a solution.

I got a similar response to restart the component. Maybe this helps as a workaround in your situation?

admin@host$ sudo su

root@host$ pmtool disablebyid adi

root@host$ pmtool enablebyid adi

But I already restarted the whole device and tried the change the realm config to force a resync. Nothing helped. I have no idea whey they had success with their "workaround".

mcgiga · ‎12-09-2020

For me this workaround didn't work too. I am curious how long it will take to get a fixed update.