Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
577
Views
5
Helpful
2
Replies

Anyconnect Organizational Unit DAP Policy

andydaws
Level 1
Level 1

‎12-01-2022 06:44 AM

On Anyconnect (Version 4.10.06079) I am trying to use a DAP policy that has an Endpoint Criteria that tries to match the OU field in the returned Certificate attached the field I am referring to

endpointcriteria.PNG

The OU in the certificate is multilayer by that I mean it looks like OU = Bottom, OU = Middle, OU = Top. If I enter the values in the parameter box either with or without the OU or in reverse (With comma for delimiters) or simply just the one OU I am interested in matching on I can not get it to match

I know the Certificate is being passed and correct as if I set to match on the CN instead which is set to the current user name only it works. But I need to match for every one in the same OU

Any thoughts? Maybe I have the incorrect format in the field not LDAP style or does not work? Can not find any examples of anyone else doing other than a single OU level and that is with ASA not FTD

Labels:
0 Helpful
2 Replies 2

tvotna
Spotlight
Spotlight

‎12-06-2022 08:01 AM

Good question. This may have something to do with multi-valued attributes support in DAP, which may still be limited to aaa.ldap.memberOf. Use "debug dap trace" to understand how ASA parses certificate DN. You should see both subject_fulldn and subject_ou there. I believe that each OU component will be represented as a separate DAP attribute, e.g. subject_ou, subject_ou_1, subject_ou_2, etc. So, you may need to use Lua script to match them, as I'm not sure that ASDM can do the job in this case.

I remember I used the following Lua script to match single OU value:

assert(function()
local match_pattern = "CA_Users"
for k,v in pairs(endpoint.certificate.user) do
match_value = v.subject_ou
if(type(match_value) == "string") then
if (string.find(match_value,match_pattern) ~= nil) then
return true
end
end
end
return false
end) ()

Use the following as a reference:

https://community.cisco.com/t5/user/viewprofilepage/user-id/257681

and let us know how it goes.

 

andydaws
Level 1
Level 1
In response to tvotna

‎12-06-2022 09:14 AM

Will give this a try next week and come back seen something like this before. This is for FTD but still the same

0 Helpful
Customers Also Viewed These Support Documents