Showing results for 
Search instead for 
Did you mean: 

Anyconnect Organizational Unit DAP Policy


On Anyconnect (Version 4.10.06079) I am trying to use a DAP policy that has an Endpoint Criteria that tries to match the OU field in the returned Certificate attached the field I am referring to


The OU in the certificate is multilayer by that I mean it looks like OU = Bottom, OU = Middle, OU = Top. If I enter the values in the parameter box either with or without the OU or in reverse (With comma for delimiters) or simply just the one OU I am interested in matching on I can not get it to match

I know the Certificate is being passed and correct as if I set to match on the CN instead which is set to the current user name only it works. But I need to match for every one in the same OU

Any thoughts? Maybe I have the incorrect format in the field not LDAP style or does not work? Can not find any examples of anyone else doing other than a single OU level and that is with ASA not FTD

2 Replies 2


Good question. This may have something to do with multi-valued attributes support in DAP, which may still be limited to aaa.ldap.memberOf. Use "debug dap trace" to understand how ASA parses certificate DN. You should see both subject_fulldn and subject_ou there. I believe that each OU component will be represented as a separate DAP attribute, e.g. subject_ou, subject_ou_1, subject_ou_2, etc. So, you may need to use Lua script to match them, as I'm not sure that ASDM can do the job in this case.

I remember I used the following Lua script to match single OU value:

local match_pattern = "CA_Users"
for k,v in pairs(endpoint.certificate.user) do
match_value = v.subject_ou
if(type(match_value) == "string") then
if (string.find(match_value,match_pattern) ~= nil) then
return true
return false
end) ()

Use the following as a reference:

and let us know how it goes.


Will give this a try next week and come back seen something like this before. This is for FTD but still the same

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers