Cisco Support Community

Migrating to Dynamic Access Policies on ASA 8.4(3)

Hi all,

I want to configure Dynamic Access Policies for Remote Access VPN users on our ASA. Currently IPSec VPN and SSL (Clientless and AnyConnect) users are authenticated using two different RADIUS servers. RADIUS server 1 will authenticate IPSec users, and RADIUS server 2 will authenticate the SSL users.

I want all users to be authenticated against one RADIUS server, which I believe I can achieve through DAP.

I was just after some clarification regarding migrating to DAP policies.

Once I start configuring DAP policies, will the DAP policies take precedence over the configured tunnel groups for the VPNs? (In other words, will current VPN connections be stopped until a suitable DAP policy is in place?)

If I understand correctly, if I leave the default DAP policy untouched, then users should still be able to connect to VPN using the tunnel groups.



HTH Paul ****Please rate useful posts****
Cisco Employee

Migrating to Dynamic Access Policies on ASA 8.4(3)

Hi Paul,

I'm not 100% sure I understand your requirements - if all you want is to use the same radius server for all types of access, then you can just configure the same server for all tunnel-groups.

Going one step further, you might even merge all tunnel-groups into a single one.

You would not need DAP for any of this.

You could use DAP to implement a more granular policy with rules like "if the user connects to tunnel-group X and radius attribute Y has value Z then deny access".

I hope this helps, let me know if I misunderstood or if you want to discuss this in more detail.


CreatePlease to create content