Using RADIUS, you can implement class attribute 25 to assign users to a particular group policy. Please refer to the doc below. For LDAP, you can use an LDAP attribute map in order to map an LDAP field to a RADIUS attribute that the ASA can understand. For example, you could map the Department field in the LDAP user record to the RADIUS class attribute using an LDAP attribute map.
thanks for the answer but i think the document that you sent me is missing something for the LDAP integration
I`m just confusing about this :
Under connection profile (where i have the link to use SSL ) let say https://SSL-VPN/management i specify a group policy which is managment and i can`t leave as blank so the group ploicy can be assigned dynmically !!
so how i can setup my connection profile to use a dynamic group policy for the SSL VPN connection
A connection profile is the combination of a tunnel group and group policy. If you do not specifiy a more specific group policy, a tunnel group will default to the DfltGrpPolicy. Configuring an LDAP attribute can override the group policy assignment for users who's configured attribute matches the map statement. In the example doc below, the LDAP memberOf attribute is referenced. This attribute isn't always the best attribute to match because a user can be a member of multiple groups. The ASA, by default, will only match on the first memberOf group in the list. In any event, the LDAP attribute map is configured on the ASA and associated with the LDAP server definition. This LDAP map associates the LDAP attribute (ie. memberOf) to a RADIUS class attribute that the ASA understands. For example, you can have a connection profile configured on the ASA called VPN which is associated with the DfltGrpPolicy. You then configure two more specfic group policies Employee and Vendor. The LDAP attribute map is configured so that a memberOf response of Employee associates the user to the ASA group policy Employee. A memberOf response of Vendor will associate the user to the ASA Vendor group policy. In both cases, the more specific dynamic group policy assignment overrides the deafult configured in the respective tunnel group. This approach is common in scenarios where all users connect to the same alias or group URL, however, need to be assigned different policy attributes.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...