Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

VPN logon vs AD logon

Hello

I'm trying to implement identity firewall through ldap vpn authenticantion for machine which is not joined to the domain. I found that when I authenticate by vpn there are no logon event on DC (the username\password given at connection was only for VPN authentication), and so no user-identity ACLs was applied. No way to make it working ? (maybe NPS radius vpn authentication ?)

 

Thank you

5 REPLIES
Cisco Employee

Hi,It is possible. When the

Hi,

It is possible. When the VPN users login to the VPN using the AD User Accounts , you would be able to see the VPN login users will be associated with Domain LOCAL.

So you can apply the policies with the Domain LOCAL for IDFW:-

For Ex:-

access-list vpnusers permit ip user LOCAL\<username> any 10.0.0.0 255.255.255.0

Thanks and Regards,

Vibhor Amrodia

New Member

Thanks Vibhor,but let's

Thanks Vibhor,

but let's suppose beside ASA vpn firewall I have other ASA firewalls, ..they are not aware of vpn logon authentication in addition to not be aware of domain controller logon security events by agent DC polling. Does the ASA vpn firewall inform the agent about user logon so other firewalls are also aware of it ?

 

Cisco Employee

Hi,I think as per your

Hi,

I think as per your question , are you referring to agent as CDA ? If yes , no the information of the VPN logon is LOCAL to the ASA device is not propagated to any agent.

Thanks and Regards,

Vibhor Amrodia

New Member

Hi,correct Vibhor, I was

Hi,

correct Vibhor, I was thinking about implementing IDFW with agent.

So it means I can't implement identity firewall through ldap vpn authenticantion for machine which is not joined to the domain ?

Looking at implementing IDFW by vpn authentication, http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/access_idfw.html#wp1372180

"The ASA reports users logging in through VPN authentication or a web portal (cut-through proxy) to the AD Agent, which distributes the user information to all registered ASA devices."

 

 

 

 

Cisco Employee

Hi,Yes , You are correct but

Hi,

Yes , You are correct but you need to map this AD Agent(CDA) for every ASA that you want the logon events to go to.

Thanks and Regards,

Vibhor Amrodia

273
Views
5
Helpful
5
Replies
CreatePlease to create content