cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1130
Views
5
Helpful
6
Replies

SSL VPN - Dynamic Access Policy Question

ryan_bell
Level 4
Level 4

Hi All,

I'm setting up SSL VPN using Dynamic Access Policy's to control different LDAP groups who log in. So far I have everything working with people is different AD groups logging in and getting a different set of Bookmarks which is great, though I can not figure out how to link the Customization Objects to a Dynamic Access Policy. Also is there any way to allow Smart Tunnels for one group, but not another.

Any advice or recommendations would be appreciated.

Thanks,

Ryan

EDIT: Also I am running ASA 8.0(4)

6 Replies 6

ryan_bell
Level 4
Level 4

Ok I got further with multiple Connection Profiles and Group Policies and using the Group URLs, though still one problem. If a user account belongs to DAP-A and he logs in to https://xxx.xxx.xxx/groupA, everything works great. Though if he happens to know about the https://xxx.xxx.xxx/groupB address and login there, he can still log in and now have Group B's Customization profile, connection profile, and group policy. The user is still locked to group A's settings to what the DAP policy allows (bookmarks, functions, and ACLs) though they can still see the nav panel for group B (including Smart Tunnel access).

How can I restrict users in DAP policy A to only be able to access Connection Profile A and Group Policy A in case they are wise enough to enter in Group B's URL?

Thanks,

Ryan

We need an answer to this question also.  We are trying to migration from AEP Networks Netilla platform to the Cisco ASA SSL/WebVPN platform.

The biggest issue were are running into is how to restrict what is seen on the WebTop via Active Directory Group Policy and how custom objects are linked directly to Dynamic Access Policies.

I am hoping it's right in front of us.  Please help!  Running 8.0(4) on 5510.

Thanks!

JMM

Did you ever find a solution to this?

Sorry - Double Post

What I ended up doing was in each Dynamic Access Policy (DAP), if User belongs to AD Group A AND is using Tunnel Group or Connection Profile A, then assign them to DAP A, otherwise assign them to the Default Access Policy which is set to Deny All.

For the DAP Critera, Set:

  • User has ALL of the following AAA Attributes values
  • AAA Attributes:
    • Cisco AAA Attribute - Connection Profile = SSLVPN_TUNNELA
    • LDAP AAA Attribute - memberOf = AD_GROUPA (for use if LDAP is the AAA Server, use RADIUS if ACS is your AAA Server)

You will then just need a seperate Connection Profile (tunnel group), AD Security group, and DAP for each SSLVPN user group. This setup allows only specific AD groups to a Connection Profile. If a user is in AD Group A but tries to use the URL from Connection Profile B, then they will not match any of the DAP policies and will be put into the DfltAccessPolicy. As long as this policy is set to Terminate All, the user will not have access until to use the correct URL.

Let me know if you need any help, so far I've managed to get everything set, seperates, and locked down using both LDAP as the AAA Server and using an ACS server in between LDAP and the ASA which gives more control and logging.

Thank you for your response.  You have done exaclty what I am trying to do.  Would it be possible to get a sanitized copy of your asa config?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: