Dynamic access policy ACL not beeing applied to user

itsupport — Tue, 12 Mar 2019 03:57:23 GMT

Trying to setup dynamic access policy to restrict some users from being able to get on VPN. Our default policy allows everybody on VPN, we just need to exclude a small number of contractors. I created an AD group called NoVPN & put a new test user into it (testnovpn)

I'll created a new dynamic access policy & set the ldap.MemberOf = NoVpn (which is an Active Directory group) & to then terminate.

But this user can still connect to VPN. Config looks like following & the ASA is able to query for LDAP groups just fine if I click edit

Debug attached, I don't see any reference to the LDAP group?

# debug dap trace

debug dap trace enabled at level 1

# debug ldap 255

debug ldap enabled at level 255

DAP_TRACE: dap_add_to_lua_tree:aaa.radius["7"]["1"]="1"

DAP_TRACE: name = aaa.radius["7"]["1"], value = "1"

DAP_TRACE: dap_add_to_lua_tree:aaa.radius["6"]["1"]="2"

DAP_TRACE: name = aaa.radius["6"]["1"], value = "2"

DAP_TRACE: dap_add_to_lua_tree:aaa.radius["25"]["1"] contains binary data

DAP_TRACE: dap_add_to_lua_tree:aaa.radius["8209"]["1"] contains binary data

DAP_TRACE: dap_add_to_lua_tree:aaa.radius["8208"]["1"] contains binary data

DAP_TRACE: dap_add_to_lua_tree:aaa.radius["8218"]["1"]=""

DAP_TRACE: name = aaa.radius["8218"]["1"], value = ""

DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["grouppolicy"]="DfltGrpPolicy"

DAP_TRACE: name = aaa["cisco"]["grouppolicy"], value = "DfltGrpPolicy"

DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["username"]="testnovpn"

DAP_TRACE: name = aaa["cisco"]["username"], value = "testnovpn"

DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["username1"]="testnovpn"

DAP_TRACE: name = aaa["cisco"]["username1"], value = "testnovpn"

DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["username2"]=""

DAP_TRACE: name = aaa["cisco"]["username2"], value = ""

DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["tunnelgroup"]="companyemployee"

DAP_TRACE: name = aaa["cisco"]["tunnelgroup"], value = "companyemployee"

DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["sceprequired"]="false"

DAP_TRACE: name = aaa["cisco"]["sceprequired"], value = "false"

DAP_TRACE: dap_add_to_lua_tree:endpoint["application"]["clienttype"]="AnyConnect"

DAP_TRACE: name = endpoint["application"]["clienttype"], value = "AnyConnect"

DAP_TRACE: dap_install_endpoint_data_to_lua:endpoint.anyconnect.clientversion="3.1.04063"

DAP_TRACE: name = endpoint.anyconnect.clientversion, value = "3.1.04063"

DAP_TRACE: dap_install_endpoint_data_to_lua:endpoint.anyconnect.platform="mac-intel"

DAP_TRACE: name = endpoint.anyconnect.platform, value = "mac-intel"

DAP_TRACE: Username: testnovpn, Selected DAPs:

DAP_TRACE: dap_process_selected_daps: selected 0 records

DAP_TRACE: Username: testnovpn, dap_aggregate_attr: rec_count = 1

DAP_TRACE: Username: testnovpn, Selected DAPs: DfltAccessPolicy