AH, OK. I'm not that familiar with LDAP and AD. Thanks

another question. I can't seem to get the DAP to associate with an Anyconnect profile. I'm using LDAP and AAA Attribute "username". When i log in as that user i don't seem to get the ACL i specified in the DAP. Any suggestions why i can't get the DAP to work with my Anyconnect profile?

What do you mean by AnyConnect profile?

I assume on the DAP policy, you assign that particular user the correct "Network ACL Filters" specific for just that 1 user? as per the attached.

When i connect to the Anyconnect profile my login isn't associating with my DAP profile which has an ACL limiting me access to certain devices/IPs. As you can see on the picture i attached i'm using LDAP w/ username. Do i need to configure an AAA Attribute Map for LDAP?

Can you please share the access-list that you created, and also what is the ip pool subnet?

Also, please connect via AnyConnect, and once connected, please grab the output of the following from the ASA:

show vpn-sessiondb detail svc filter name

Here is the config. Am i supposed to do anything with the AAA Attribute Maps? My knowledge of AD is limited. I was doing some reading and it sounds like i need to have some sort of Map between LDAP and Cisco.

thanks!

OK, the access-list is incorrect. Your VPN Pool is 10.10.18.0/24, but your access-list is sourcing from 10.10.17.26.

Are you trying to allow only access to 10.0.0.31 for that user? You might want to change the ACL to source from 10.10.18.0/24 towards 10.0.0.31.

I've made too many changes. lets try this again.

Please refer to the attached config. After i cleaned it up i am still not getting the proper ACLs to work with the DAP and profile name EGTS.

Can you please grab the output of "show vpn-sessiondb full svc filter name " instead? The previous show output doesn't seem to include the vpn-filter. Thanks.

What is the behaviour? You are able to access everything OR/ you are not able to access anything at all?

I am able to access everything so i'm thinking the DAP isn't associating with the user when logging in on anyconnect. here is the show output.

ASA55201# show vpn-sessiondb full svc filter name EGTS

Session Type: SVC ||

Session ID: 6567 | EasyVPN: 0 | Username: EGTS | Group: CC-SSL-VPN-Vendors | Tunnel Group: CC-SSL-VPN-Vendors | IP Addr: 10.10.19.1 | Public IP: 75.235.159.184 | Protocol: Clientless SSL-Tunnel DTLS-Tunnel | License: SSL VPN | Session Subtype: With client | Encryption: RC4 AES128 | Login Time: 08:24:51 EDT Thu Apr 1 2010 | Duration: 0h:01m:34s | Bytes Tx: 23312 | Bytes Rx: 12403 | NAC Result: Unknown | Posture Token:  | VLAN Mapping: N/A | VLAN:  0 ||

Yeah, i don't see the filter being assigned to the user.

Try to run "debug dap trace" and "debug dap errors", and try to connect again. Please share the debug output. Thanks.

Here ya go! Looks like it is just using the default DAP.

Can you change the DAP check to any one of the below:

ldap.cn=EGTS

ldap.sAMAccountName = egts

cisco.username=EGTS

Thanks,

Kiran