I have a ASA 5510 and I am trying to implement Dynamic Access Policies (DAP) for SSL VPN remote access control.I have created several policies for specific vendors/users and am having a hard time enforcing them. Specifically, the Selection ...
Rahul,You hit the nail on the head. I had to change the attribute to 25 and then ALSO create a corresponding attribute on the RADIUS server. That attribute was the Class attribute with the Security Group being it's value.Thank you all for your help.O...
Hmmm. The "testvpngroup" below is representative of a Cisco Group Policies, not the Active Directory security Group.In doing the RADIUS debug, I did see the 4242 value get passed. I got the 4242 value from the ASA help that stated it was the "Member...
Wow, thanks. One of those "duh" moments.I changed the DAP Selection Criteria to the RADIUS Attribute ID 4242 and a value of . It's still not enforcing the DAP. Thanks again for your help.Here is the debug output:DAP_TRACE: Username: testuser, aaa.rad...
Herbert -- My apologies.It looks as if it is falling to the default access policy instead of the one designated for this user.Here is the sanitized output:DAP_TRACE: Username: testname, aaa.radius["4121"]["1"] = testgroupDAP_TRACE: Username: testname...
Herbert,Thanks for the suggestion. Here is the output of the debug commands.debug ldap 255 -> debug ldap enabled at level 255debug dap trace -> debug dap trace enabled at level 1