- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-26-2010 12:25 PM - edited 02-21-2020 04:34 PM
I'm tying to figure out how to migrate from IPSec to Anyconnect. I have successfully configured Anyconnect to work although not the way i'd like. With IPSec i'd have 1 profile for all of our staff and seperate individual profiles for vendors that needed certain access to servers or ther networks. Since we started looking at Anyconnect we enabled LDAP on the ASA. My question is how can i assign a single user an ACL which only allows them access to one server or device? I created a DAP but i only see where i can add AD groups, not individual users.
Solved! Go to Solution.
- Labels:
-
AnyConnect
Accepted Solutions

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-27-2010 01:51 AM
From DAP, you can use "AAA Attribute Type": Cisco, and match on "Username".
Alternatively, you can place the user into a different LDAP group, and configure a different group-policy for the specific access.
Hope it helps.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-02-2010 05:35 AM
No, license has nothing to do with the issue. License will allow you only 2 concurrent SSL connections at the moment.
Looks like you are matching on LDAP.username on the DAP policy. Please match on "Cisco" username, instead of "LDAP" username on the DAP policy.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-27-2010 01:51 AM
From DAP, you can use "AAA Attribute Type": Cisco, and match on "Username".
Alternatively, you can place the user into a different LDAP group, and configure a different group-policy for the specific access.
Hope it helps.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-29-2010 10:05 AM
AH, OK. I'm not that familiar with LDAP and AD. Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-29-2010 07:14 PM
another question. I can't seem to get the DAP to associate with an Anyconnect profile. I'm using LDAP and AAA Attribute "username". When i log in as that user i don't seem to get the ACL i specified in the DAP. Any suggestions why i can't get the DAP to work with my Anyconnect profile?

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-29-2010 08:38 PM
What do you mean by AnyConnect profile?
I assume on the DAP policy, you assign that particular user the correct "Network ACL Filters" specific for just that 1 user? as per the attached.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-30-2010 06:02 AM
When i connect to the Anyconnect profile my login isn't associating with my DAP profile which has an ACL limiting me access to certain devices/IPs. As you can see on the picture i attached i'm using LDAP w/ username. Do i need to configure an AAA Attribute Map for LDAP?

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-31-2010 04:32 AM
Can you please share the access-list that you created, and also what is the ip pool subnet?
Also, please connect via AnyConnect, and once connected, please grab the output of the following from the ASA:
show vpn-sessiondb detail svc filter name
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-31-2010 05:39 AM

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-31-2010 05:48 AM
OK, the access-list is incorrect. Your VPN Pool is 10.10.18.0/24, but your access-list is sourcing from 10.10.17.26.
Are you trying to allow only access to 10.0.0.31 for that user? You might want to change the ACL to source from 10.10.18.0/24 towards 10.0.0.31.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-31-2010 06:57 AM

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-01-2010 02:07 AM
Can you please grab the output of "show vpn-sessiondb full svc filter name
What is the behaviour? You are able to access everything OR/ you are not able to access anything at all?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-01-2010 05:26 AM
I am able to access everything so i'm thinking the DAP isn't associating with the user when logging in on anyconnect. here is the show output.
ASA55201# show vpn-sessiondb full svc filter name EGTS
Session Type: SVC ||
Session ID: 6567 | EasyVPN: 0 | Username: EGTS | Group: CC-SSL-VPN-Vendors | Tunnel Group: CC-SSL-VPN-Vendors | IP Addr: 10.10.19.1 | Public IP: 75.235.159.184 | Protocol: Clientless SSL-Tunnel DTLS-Tunnel | License: SSL VPN | Session Subtype: With client | Encryption: RC4 AES128 | Login Time: 08:24:51 EDT Thu Apr 1 2010 | Duration: 0h:01m:34s | Bytes Tx: 23312 | Bytes Rx: 12403 | NAC Result: Unknown | Posture Token: | VLAN Mapping: N/A | VLAN: 0 ||

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-01-2010 05:39 AM
Yeah, i don't see the filter being assigned to the user.
Try to run "debug dap trace" and "debug dap errors", and try to connect again. Please share the debug output. Thanks.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-01-2010 06:04 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-01-2010 11:58 PM
Can you change the DAP check to any one of the below:
ldap.cn=EGTS
ldap.sAMAccountName = egts
cisco.username=EGTS
Thanks,
Kiran
