SSL VPN - Dynamic Access Policy Question

Unanswered Question
Mar 4th, 2010

Hi All,

I'm setting up SSL VPN using Dynamic Access Policy's to control different LDAP groups who log in. So far I have everything working with people is different AD groups logging in and getting a different set of Bookmarks which is great, though I can not figure out how to link the Customization Objects to a Dynamic Access Policy. Also is there any way to allow Smart Tunnels for one group, but not another.

Any advice or recommendations would be appreciated.

Thanks,

Ryan

EDIT: Also I am running ASA 8.0(4)

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
ryan_bell Thu, 03/04/2010 - 15:27

Ok I got further with multiple Connection Profiles and Group Policies and using the Group URLs, though still one problem. If a user account belongs to DAP-A and he logs in to https://xxx.xxx.xxx/groupA, everything works great. Though if he happens to know about the https://xxx.xxx.xxx/groupB address and login there, he can still log in and now have Group B's Customization profile, connection profile, and group policy. The user is still locked to group A's settings to what the DAP policy allows (bookmarks, functions, and ACLs) though they can still see the nav panel for group B (including Smart Tunnel access).

How can I restrict users in DAP policy A to only be able to access Connection Profile A and Group Policy A in case they are wise enough to enter in Group B's URL?

Thanks,

Ryan

milpo2717 Sat, 03/06/2010 - 11:21

We need an answer to this question also.  We are trying to migration from AEP Networks Netilla platform to the Cisco ASA SSL/WebVPN platform.

The biggest issue were are running into is how to restrict what is seen on the WebTop via Active Directory Group Policy and how custom objects are linked directly to Dynamic Access Policies.

I am hoping it's right in front of us.  Please help!  Running 8.0(4) on 5510.

Thanks!

JMM

ryan_bell Tue, 10/26/2010 - 12:29

What I ended up doing was in each Dynamic Access Policy (DAP), if User belongs to AD Group A AND is using Tunnel Group or Connection Profile A, then assign them to DAP A, otherwise assign them to the Default Access Policy which is set to Deny All.

For the DAP Critera, Set:

  • User has ALL of the following AAA Attributes values
  • AAA Attributes:
    • Cisco AAA Attribute - Connection Profile = SSLVPN_TUNNELA
    • LDAP AAA Attribute - memberOf = AD_GROUPA (for use if LDAP is the AAA Server, use RADIUS if ACS is your AAA Server)

You will then just need a seperate Connection Profile (tunnel group), AD Security group, and DAP for each SSLVPN user group. This setup allows only specific AD groups to a Connection Profile. If a user is in AD Group A but tries to use the URL from Connection Profile B, then they will not match any of the DAP policies and will be put into the DfltAccessPolicy. As long as this policy is set to Terminate All, the user will not have access until to use the correct URL.

Let me know if you need any help, so far I've managed to get everything set, seperates, and locked down using both LDAP as the AAA Server and using an ACS server in between LDAP and the ASA which gives more control and logging.

Billy Dodson Tue, 10/26/2010 - 13:07

Thank you for your response.  You have done exaclty what I am trying to do.  Would it be possible to get a sanitized copy of your asa config?

Actions

This Discussion