cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
685
Views
0
Helpful
4
Replies

Limit of dynamic access policies?

Patrick Tran
Level 1
Level 1

Hi,

Is there a maximum number of DAP supported by ASA 55XX 9.1 ?

Thanks for your information

Patrick         

1 Accepted Solution

Accepted Solutions

Marcin Latosiewicz
Cisco Employee
Cisco Employee

Patrick,

No limit of policies is imposed, but under 100 is recommended (for high end deployments). Realistically 20-50 is what we see in most advanced deployments.

We impose limit on the amount of attributes (999) in DAP. 

M.

View solution in original post

4 Replies 4

Marcin Latosiewicz
Cisco Employee
Cisco Employee

Patrick,

No limit of policies is imposed, but under 100 is recommended (for high end deployments). Realistically 20-50 is what we see in most advanced deployments.

We impose limit on the amount of attributes (999) in DAP. 

M.

Hi Marcin,

Thanks for your quick answer

we will have about 200 different profiles. (1 profile = 1 ACL = 1 LDAP group)

I wanted to configure one DAP by profile. ASA would check LDAP membership then push network ACL.

We have a 5585X for our production environnement. Do you think that it could work?

Or do you have a better idea?

Patrick

Patrick,

Thinking out loud here, maybe without appreciating something grander.

LDAP-attribute-mapping  - map a attribute in LDAP to ACL (vpn-filter or similar)... depends how complicated the DAP policy would be...

M.

In my case, it could work if a user is member of groups which are explicitly mapped to ACL.

If he belongs to other groups, ASA will try to map those groups to ACL then we will get this error:


%ASA-4-113030: Group group User user IP ipaddr User ACL acl from AAA 
doesn't exist on the device, terminating connection.

The specified ACL was not found on the ASA.

And it wont work.

I will think about using specific LDAP attribute but this will bring other problems (Directory process...)

If you have other ideas, I would be glad to test them

Otherwise I will choose between DAP or LDAP mapping...

Thanks again Marcin !!

Patrick

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: