Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
506
Views
0
Helpful
4
Replies

Dynamic Access Policy (DAP) - memberof

Albertt
Level 1
Level 1

‎11-06-2025 04:42 AM

Hello Community,

I have Active Directory successfully integrated with FMC.
My goal is to apply a Dynamic Access Policy (DAP) to my FTD, where the DAP should match a specific Active Directory group and apply a corresponding access policy (for example, ACLs or restrictions).

For example:
If a user belongs to the AD group “DEPARTMENT LOGISTICS”, the DAP should trigger and apply a specific access-list or banner.

In Active Directory, the username is correctly listed under that group, and the group is visible and synchronized in the FMC realm.
However, the DAP condition using the LDAP attribute memberOf does not seem to match when the user connects through VPN — the session always falls back to the Default DAP.

Has anyone experienced this issue or found a reliable way to make the memberOf (or nested group) condition work correctly in FMC?
Any guidance on how to make this criterion match or how to debug the LDAP attributes during authentication would be greatly appreciated.

I tried following LDAP Criteria: memberOf, member and also memberOf:1.2.840.113556.1.4.1941

Thanks in advance,


Albert

 

0 Helpful
4 Replies 4

ahollifield
VIP
VIP

‎11-06-2025 05:52 AM

Why not use SAML instead for all of this?

0 Helpful

Albertt
Level 1
Level 1
In response to ahollifield

‎11-07-2025 04:01 AM

Can you share more details?

0 Helpful

jameswood32
Level 1
Level 1

‎11-07-2025 05:30 AM

Hello Community,

I have successfully integrated Active Directory with FMC. My goal is to implement a Dynamic Access Policy (DAP) on my FTD, where the DAP should match a specific Active Directory group and apply a corresponding access policy, such as ACLs or restrictions.

For example:

  • If a user belongs to the AD group “DEPARTMENT LOGISTICS”, the DAP should trigger and apply a specific access-list or banner.

In Active Directory, the username is correctly listed under that group, and the group itself is visible and synchronized in the FMC realm. However, when a user connects through VPN, the DAP condition using the LDAP attribute memberOf does not match. The session always falls back to the Default DAP.

I have tried multiple LDAP criteria, including:

  • memberOf

  • member

  • memberOf:1.2.840.113556.1.4.1941 (for nested groups)

Despite this, the policy does not trigger as expected.

Has anyone encountered this issue or found a reliable way to make memberOf (or nested group) conditions work correctly in FMC? Any guidance on how to make this criterion match, or tips on debugging LDAP attributes during authentication, would be greatly appreciated.

Thanks in advance,
Albert

0 Helpful

Rob Ingram
VIP
VIP

‎11-09-2025 02:04 AM

@Albertt If you enable DAP debugs "debug dap trace 127" from system support diagnostic-cli on the FTD CLI, login as the user and look for the LDAP memberOf attribute in the output and confirm the group.

DAP_TRACE: aaa["ldap"]["memberOf"] = "Group-1"

Is the memberOf value in the debug the same as that has been configured in the DAP policy?

RobIngram_0-1762682485183.png

Which should be the same in the configured realm

RobIngram_1-1762682539245.png

 

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card