08-14-2013 03:07 AM
Hi,
Is there a maximum number of DAP supported by ASA 55XX 9.1 ?
Thanks for your information
Patrick
Solved! Go to Solution.
08-14-2013 04:19 AM
Patrick,
No limit of policies is imposed, but under 100 is recommended (for high end deployments). Realistically 20-50 is what we see in most advanced deployments.
We impose limit on the amount of attributes (999) in DAP.
M.
08-14-2013 04:19 AM
Patrick,
No limit of policies is imposed, but under 100 is recommended (for high end deployments). Realistically 20-50 is what we see in most advanced deployments.
We impose limit on the amount of attributes (999) in DAP.
M.
08-14-2013 04:45 AM
Hi Marcin,
Thanks for your quick answer
we will have about 200 different profiles. (1 profile = 1 ACL = 1 LDAP group)
I wanted to configure one DAP by profile. ASA would check LDAP membership then push network ACL.
We have a 5585X for our production environnement. Do you think that it could work?
Or do you have a better idea?
Patrick
08-14-2013 05:35 AM
Patrick,
Thinking out loud here, maybe without appreciating something grander.
LDAP-attribute-mapping - map a attribute in LDAP to ACL (vpn-filter or similar)... depends how complicated the DAP policy would be...
M.
08-14-2013 07:50 AM
In my case, it could work if a user is member of groups which are explicitly mapped to ACL.
If he belongs to other groups, ASA will try to map those groups to ACL then we will get this error:
%ASA-4-113030: Group group User user IP ipaddr User ACL acl from AAA doesn't exist on the device, terminating connection.
The specified ACL was not found on the ASA.
And it wont work.
I will think about using specific LDAP attribute but this will bring other problems (Directory process...)
If you have other ideas, I would be glad to test them
Otherwise I will choose between DAP or LDAP mapping...
Thanks again Marcin !!
Patrick
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: