ASA DAP expressions?

fsmontenegro · ‎09-20-2009

Hi,

Not sure if this belongs in AAA or firewalling. I apologize for the mix-up.

Does anyone know if there's a user-friendly (i.e. non-LUA) way of matching a single DAP entry to the following constraint:

- match specific connection profile

- match one of many specific usernames.

I know I can easily create an LDAP group, put the users there and match on the memberOf attribute, but I'm trying define local policies on the ASA for a limited number of users WITHOUT creating external LDAP groups and without having multiple DAP entries (connprofile/user1, connprofile/user2, connprofile/user3, ...)

Any insights?

Thanks!

sbader48220 · ‎09-21-2009

I haven't tested this fully, but using the 'test dynamic access policies' option, it appeared to work. I'm not an expert, but thought this was an interesting application, so I messed around a bit.

Create a new DAP, and choose "User has ANY of the following AAA attribute values", then add->cisco->username and add the username. Add a separate entry for each username.

Once you add the usernames, click on the 'advanced' line below the AAA atributes box, click 'AND', and add the following:

EVAL(aaa.cisco.tunnelgroup, "EQ","TunnelGroupName")

Obviously replacing the tunnelgroupname entry with the group you want to match.

Give it a shot and let us know!

-Steve

Jatin Katyal · ‎09-21-2009

Hi,

# In order to match specific user name check the option "Default Dynamic Access Policy"

# and for connection profile, you may refer DAP implementation profile

Here is the :

Dynamic Access Policies (DAP) Deployment Guide

https://supportforums.cisco.com/docs/DOC-1369#DAP_Implementation

HTH

Regards,

JK

~Jatin