ASA DAP expressions?

Unanswered Question
Sep 20th, 2009


Not sure if this belongs in AAA or firewalling. I apologize for the mix-up.

Does anyone know if there's a user-friendly (i.e. non-LUA) way of matching a single DAP entry to the following constraint:

- match specific connection profile

- match one of many specific usernames.

I know I can easily create an LDAP group, put the users there and match on the memberOf attribute, but I'm trying define local policies on the ASA for a limited number of users WITHOUT creating external LDAP groups and without having multiple DAP entries (connprofile/user1, connprofile/user2, connprofile/user3, ...)

Any insights?


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
sbader48220 Mon, 09/21/2009 - 10:13

I haven't tested this fully, but using the 'test dynamic access policies' option, it appeared to work. I'm not an expert, but thought this was an interesting application, so I messed around a bit.

Create a new DAP, and choose "User has ANY of the following AAA attribute values", then add->cisco->username and add the username. Add a separate entry for each username.

Once you add the usernames, click on the 'advanced' line below the AAA atributes box, click 'AND', and add the following:

EVAL(, "EQ","TunnelGroupName")

Obviously replacing the tunnelgroupname entry with the group you want to match.

Give it a shot and let us know!



This Discussion