Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

SSL VPN and DAP with AD


I´m trying to solve a problem with my asa 5510. I would like to publish applications behind Clientless SSL VPN for different users that will belong to groups created in AD. Do i have to use URL to get to the complete separations for bookmarks and for example redirect to a webserver and other layout and access rule at the portal?

I will try to explain what would be ideal and lets see if someone will come up with a solution.

User A (member of ad group RDP_CIFS) logs in and gets a couple of bookmarks to RDP server and also access to Common and Home drive via cifs.

User B (member of ad group Redirect2Site) logs in and get redirected to a internal published rdweb/ericom/citrix server login page.

User C (member of ad group RDP2Server1) logs in and gets only a published rdp connection to server1.

I would like to achive this without the user having to choose in dropbox (for url) or editing the url in adressfield.

The ASA is connected via MSKCD Kerberos AAA server group and my idea was to use DAP for making the the AD group selection of what is published in a new DAP policy.


SSL VPN and DAP with AD

Hello Fredrik,

I think your suggestion is the solution to this treath, I mean doing this via a DAP makes sense. Then the user will be mapped to the right Connection profile without the necessity from him to select the profile.

And you can also custom your own DAP so you can set the right bookmarks for each one of them deppending on the attributes of the AAA server ( the attributes will need to be LDAP,RADIUS or CISCO)



Looking for some Networking Assistance? Contact me directly at I will fix your problem ASAP. Cheers, Julio Carvajal Segura
New Member

SSL VPN and DAP with AD

I have tried this via DAP but i get stuck. How should i configure Connection profiles, Group Policys, Dynamic Access Policies so that user gets different bookmarks and stuff depending on AD group belonging?

If i disable DfltAccessPolicy and creates a new dap where i put the suggested group from AD under Selection Criteria (ldap.memberof=ADGROUP) i´m not able to login at the sslvpn portal. Some other forums suggest the use of Cisco attribute to map against AD to make selection. I´m not really sure if i understand hos this should help.



CreatePlease login to create content