cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1027
Views
0
Helpful
3
Replies

Identity FW - ACL with AD Group not matching

Igor Rodriguez
Level 1
Level 1

Hello all,

I have set up our Cisco ASA 8.4(4)1 so that it works as an Identity Firewall. Everything is going fine, except the following:

I've made an ACL so that only allowed users access a few FTP servers. The thing is that those users belong to an Active Directory group. Using the AD group, the ACL is not being matched and therefore, is not working.

However, if I change that AD group and try only my AD user, it does work.

I have other ACLs matching AD groups and are working fine.

So my question is:

     Is there any limitation to those AD groups?

     What can I check to know why my user (that belongs to that AD group) is not being allowed while ACL includes AD group?

Any help will be appreciated.

Thanks in advance.

Best regards,

Igor

3 Replies 3

Igor Rodriguez
Level 1
Level 1

Any idea of how could I try to solve this?

Thanks.

I've made another test. I've changed the group that matches the ACL and it works.

The differences between groups are:

- They're located in different OUs, but both are accessible.

- One has 6 users and the other many more.

Is there any kind of restriction on how many users a group can contain so that ASA is able to check it?

Other group that does not work is a group (Global_FTP) containing 3 different groups, being one of them that other group (FTP_OfficeXX).

Any help will be appreciated.

Thanks!!!

Igor Rodriguez
Level 1
Level 1

Hello again everybody,

I was wondering if maybe because of summer vacations this post was missing to some of you.

Anyone has any idea of why ACL does not match when using an old and with more members group?

Thanks in advance.

Best regards,

Igor

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: