topic Re: Dynamic Access Policy (DAP) - memberof in Network Security

Dynamic Access Policy (DAP) - memberof

Albertt — Thu, 06 Nov 2025 12:42:17 GMT

Hello Community,

I have Active Directory successfully integrated with FMC.
My goal is to apply a Dynamic Access Policy (DAP) to my FTD, where the DAP should match a specific Active Directory group and apply a corresponding access policy (for example, ACLs or restrictions).

For example:
If a user belongs to the AD group “DEPARTMENT LOGISTICS”, the DAP should trigger and apply a specific access-list or banner.

In Active Directory, the username is correctly listed under that group, and the group is visible and synchronized in the FMC realm.
However, the DAP condition using the LDAP attribute memberOf does not seem to match when the user connects through VPN — the session always falls back to the Default DAP.

Has anyone experienced this issue or found a reliable way to make the memberOf (or nested group) condition work correctly in FMC?
Any guidance on how to make this criterion match or how to debug the LDAP attributes during authentication would be greatly appreciated.

I tried following LDAP Criteria: memberOf, member and also memberOf:1.2.840.113556.1.4.1941

Thanks in advance,

Albert

Re: Dynamic Access Policy (DAP) - memberof

ahollifield — Thu, 06 Nov 2025 13:52:05 GMT

Why not use SAML instead for all of this?

Re: Dynamic Access Policy (DAP) - memberof

Albertt — Fri, 07 Nov 2025 12:01:02 GMT

Can you share more details?

Re: Dynamic Access Policy (DAP) - memberof

jameswood32 — Fri, 07 Nov 2025 13:30:43 GMT

Hello Community,

I have successfully integrated Active Directory with FMC. My goal is to implement a Dynamic Access Policy (DAP) on my FTD, where the DAP should match a specific Active Directory group and apply a corresponding access policy, such as ACLs or restrictions.

For example:

If a user belongs to the AD group “DEPARTMENT LOGISTICS”, the DAP should trigger and apply a specific access-list or banner.

In Active Directory, the username is correctly listed under that group, and the group itself is visible and synchronized in the FMC realm. However, when a user connects through VPN, the DAP condition using the LDAP attribute memberOf does not match. The session always falls back to the Default DAP.

I have tried multiple LDAP criteria, including:

memberOf
member
memberOf:1.2.840.113556.1.4.1941 (for nested groups)

Despite this, the policy does not trigger as expected.

Has anyone encountered this issue or found a reliable way to make memberOf (or nested group) conditions work correctly in FMC? Any guidance on how to make this criterion match, or tips on debugging LDAP attributes during authentication, would be greatly appreciated.

Thanks in advance,
Albert

Re: Dynamic Access Policy (DAP) - memberof

Rob Ingram — Sun, 09 Nov 2025 10:04:14 GMT

@Albertt If you enable DAP debugs "debug dap trace 127" from system support diagnostic-cli on the FTD CLI, login as the user and look for the LDAP memberOf attribute in the output and confirm the group.

DAP_TRACE: aaa["ldap"]["memberOf"] = "Group-1"

Is the memberOf value in the debug the same as that has been configured in the DAP policy?

Which should be the same in the configured realm