Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ASA Group policy and DAP

Hi all,

I am planning to implement SSL VPN on ASA 8.2.1.

For example, I create the following 2 DAP records to assign different access right.

Policy Name: Sales DAP

ldap.memberOf = Sales

Action: continue

Policy Name: Engineering DAP

ldap.memberOf = Engineering

Action: continue

The following group polices are already configured on ASA.

GP_sales

GP_engineering

If userA who is a member of Sales OU in Active directory access ASA, how ASA know userA should be associated with GP_sales?

Thanks

2 ACCEPTED SOLUTIONS

Accepted Solutions
New Member

Re: ASA Group policy and DAP

Hi,

You have to configure LDAP Server in your ASA and LDAP attribute is mapped with Cisco Attribute.(LDAP memberOf is mappe to GroupPolicy)

Then you have to configure LDAP Attribute mapping

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808d1a7c.shtml

Cisco Employee

Re: ASA Group policy and DAP

With DAP , a VPN remote access session can inherit  multiple rule sets (entitlements,authorization/access attributes) based on the varius DAPs that match.

Here's a simple example: if a Clientless SSL VPN VPN session matches  DAP 1 (bookmark_list 1 and book_mark_list2) and DAP 2 (bookmark_list3), then the resulting entitlement for the session is the aggregation/merge of 3 bookmark_lists on the users portal (bookmark_list 1+ book_mark_list2+bookmark_list3).

The VPN session is still associated with only a single group policy, but the access attributes configured in DAP will override the ones in the group-policy. So in this example if the session is associated with group-policyA which only has a single bookmark_list4, the bookmarkslists 1-3 will apply to the VPN session, and not bookmark_list4.

Since a VPN session can only be assigned/associated with a single Group-Policy, the concept  mergeing/aggrgating group policies doesn't exist. Hence the need for the DAPs.

As you know, currently the DAP doesn't have the ability to set all attributes like the group-policy's  Banner, Smart-tunnel-list,DNS,IP pool, etc.

That's why a remote access VPN session's resulting entitlement/authorization policy = (DAP access/authorization attributes+ AAA attributes+group-policy attributes+DfltGrpPolicy attributes).

4 REPLIES
New Member

Re: ASA Group policy and DAP

Hi,

You have to configure LDAP Server in your ASA and LDAP attribute is mapped with Cisco Attribute.(LDAP memberOf is mappe to GroupPolicy)

Then you have to configure LDAP Attribute mapping

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808d1a7c.shtml

New Member

Re: ASA Group policy and DAP

I appreciate your help!

I understand how ASA know which user use which group policy.

Now I don't quite understand the power of DAP.

If I don't use DAP, what do I miss?

Thanks

Cisco Employee

Re: ASA Group policy and DAP

With DAP , a VPN remote access session can inherit  multiple rule sets (entitlements,authorization/access attributes) based on the varius DAPs that match.

Here's a simple example: if a Clientless SSL VPN VPN session matches  DAP 1 (bookmark_list 1 and book_mark_list2) and DAP 2 (bookmark_list3), then the resulting entitlement for the session is the aggregation/merge of 3 bookmark_lists on the users portal (bookmark_list 1+ book_mark_list2+bookmark_list3).

The VPN session is still associated with only a single group policy, but the access attributes configured in DAP will override the ones in the group-policy. So in this example if the session is associated with group-policyA which only has a single bookmark_list4, the bookmarkslists 1-3 will apply to the VPN session, and not bookmark_list4.

Since a VPN session can only be assigned/associated with a single Group-Policy, the concept  mergeing/aggrgating group policies doesn't exist. Hence the need for the DAPs.

As you know, currently the DAP doesn't have the ability to set all attributes like the group-policy's  Banner, Smart-tunnel-list,DNS,IP pool, etc.

That's why a remote access VPN session's resulting entitlement/authorization policy = (DAP access/authorization attributes+ AAA attributes+group-policy attributes+DfltGrpPolicy attributes).

New Member

Re: ASA Group policy and DAP

Sorry for late reply.

Thank you very much.

I understand how DAP and group policy interacts.

If DAP can cover all the setting, then things are more simple...

2859
Views
0
Helpful
4
Replies
CreatePlease to create content