https://community.cisco.com/t5/network-security/cisco-asa-dap-username-attribut-cli/m-p/3733753#M11609 <P>Hey guys,</P> <P>&nbsp;</P> <P>I have just started writing scripts in expect language on my ASA. I am able to create new local users (AAA) and I can remove them, but where I am struggling is creating Dynamic Access Policy and adding a username attribute to it. Here is a part of my script:</P> <P>send "conf t\n"<BR /> expect "(config)#"<BR /> send "access-list [string toupper $username] extended permit ip any host $ip\n"<BR /> expect "(config)#"<BR /> send "dynamic-access-policy-record $username\n"<BR /> expect "(config-dynamic-access-policy-record)#"<BR /> send "network-acl [string toupper $username]\n"<BR /> expect "(config-dynamic-access-policy-record)#"</P> <P>&nbsp;</P> <P>Basically what this does that it first creates an access list rule with desired IP address, then creates DAP record and assigns the previously created acl rule to it. Where I am struggling is how to add the aaa.cisco.username of my user, so that it will use this DAP.</P> <P>&nbsp;</P> <P>I wasn't able to find any CLI command for it, but I can manually click it in GUI (ASDM). Is there some kind of command, that lets me add a username to DAP record? Thank you in advance <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Fri, 21 Feb 2020 16:24:06 GMT mklofac 2020-02-21T16:24:06Z https://community.cisco.com/t5/network-security/cisco-asa-dap-username-attribut-cli/m-p/3733753#M11609 <P>Hey guys,</P> <P>&nbsp;</P> <P>I have just started writing scripts in expect language on my ASA. I am able to create new local users (AAA) and I can remove them, but where I am struggling is creating Dynamic Access Policy and adding a username attribute to it. Here is a part of my script:</P> <P>send "conf t\n"<BR /> expect "(config)#"<BR /> send "access-list [string toupper $username] extended permit ip any host $ip\n"<BR /> expect "(config)#"<BR /> send "dynamic-access-policy-record $username\n"<BR /> expect "(config-dynamic-access-policy-record)#"<BR /> send "network-acl [string toupper $username]\n"<BR /> expect "(config-dynamic-access-policy-record)#"</P> <P>&nbsp;</P> <P>Basically what this does that it first creates an access list rule with desired IP address, then creates DAP record and assigns the previously created acl rule to it. Where I am struggling is how to add the aaa.cisco.username of my user, so that it will use this DAP.</P> <P>&nbsp;</P> <P>I wasn't able to find any CLI command for it, but I can manually click it in GUI (ASDM). Is there some kind of command, that lets me add a username to DAP record? Thank you in advance <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Fri, 21 Feb 2020 16:24:06 GMT https://community.cisco.com/t5/network-security/cisco-asa-dap-username-attribut-cli/m-p/3733753#M11609 mklofac 2020-02-21T16:24:06Z