I'm setting up SSL VPN using Dynamic Access Policy's to control different LDAP groups who log in. So far I have everything working with people is different AD groups logging in and getting a different set of Bookmarks which is great, though I can not figure out how to link the Customization Objects to a Dynamic Access Policy. Also is there any way to allow Smart Tunnels for one group, but not another.
Any advice or recommendations would be appreciated.
Ok I got further with multiple Connection Profiles and Group Policies and using the Group URLs, though still one problem. If a user account belongs to DAP-A and he logs in to https://xxx.xxx.xxx/groupA, everything works great. Though if he happens to know about the https://xxx.xxx.xxx/groupB address and login there, he can still log in and now have Group B's Customization profile, connection profile, and group policy. The user is still locked to group A's settings to what the DAP policy allows (bookmarks, functions, and ACLs) though they can still see the nav panel for group B (including Smart Tunnel access).
How can I restrict users in DAP policy A to only be able to access Connection Profile A and Group Policy A in case they are wise enough to enter in Group B's URL?
What I ended up doing was in each Dynamic Access Policy (DAP), if User belongs to AD Group A AND is using Tunnel Group or Connection Profile A, then assign them to DAP A, otherwise assign them to the Default Access Policy which is set to Deny All.
For the DAP Critera, Set:
User has ALL of the following AAA Attributes values
LDAP AAA Attribute - memberOf = AD_GROUPA (for use if LDAP is the AAA Server, use RADIUS if ACS is your AAA Server)
You will then just need a seperate Connection Profile (tunnel group), AD Security group, and DAP for each SSLVPN user group. This setup allows only specific AD groups to a Connection Profile. If a user is in AD Group A but tries to use the URL from Connection Profile B, then they will not match any of the DAP policies and will be put into the DfltAccessPolicy. As long as this policy is set to Terminate All, the user will not have access until to use the correct URL.
Let me know if you need any help, so far I've managed to get everything set, seperates, and locked down using both LDAP as the AAA Server and using an ACS server in between LDAP and the ASA which gives more control and logging.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...