FMC Multiple Domain Management and external users

Chess Norris · ‎10-30-2023

Hello,

We want to create subdomains in our FMC and add a specific FTD device to each subdomain.

I have created two sub domains in the FMC and added one FTD device to each subdomain.

It works when I create local users and assign them to a specific subdomai. Then the user can only edit the device that belong to the same subdomain as the user.

However, when I log in as an external user, that user will always have access to the global domain. It doesn't matter if I edit the user and only assign the subdomain. As soon as the external user login, he have access to both the subdomain and the global domain.

Is there away to map the external users to a specific subdomain or is it only possible with local users?

Thanks

/Chess

Chess Norris · ‎11-07-2023

I found this in the FMC user guide:

"In a multidomain deployment, external authentication objects are only available in the domain in which they are created"

so it looks like it suposed to be suported. However, even though I can create an LDAP or Radius authentication object under the subdomain, it's not possible to login when I disable the global authentication object.

Thanks

/Chess

jlgf · ‎05-03-2024

Hi, did you make it work? I have the exact requirement and cannot find a guide.

Chess Norris · ‎05-04-2024

Hi,

No unfortunately I had to give up the idea of using multiple domains and instead use a separate FMC.

There was a big issue with a IPSec tunnel that we needed to break before we could configuring multiple domains and we had a FTD on the other end of the VPN tunnel, managed by the FMC and we couldn’t break that tunnel.

Multiple domains it's a great idea, but it should probably be implemented before you start managing FTD's.

/Chess