Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3616
Views
0
Helpful
4
Replies

ASA - DAP Query

Go to solution
ramesh.8901
Level 1
Level 1

‎05-31-2015 12:02 AM

Hi All,

 

I have a bit of a confusion with respect to DAP and need clarity on that:

 

If i go to the selection criteria and do the following - ADD --> AAA attribute Cisco --> Choose Connection-profile and Group-policy - what does this exactly mean? I know that we're doing like an If statement stating that if a user comes with this connection-profile then do the following (in the access/authorization attributes section). But what does it mean if select group-policy as well in the selection criteria?

 

Also how is the above different from this - ADD --> AAA attribute Cisco --> Choose Connection-profile --> OK --> Again ADD --> AAA Attribute Cisco --> Choose Group-policy.

 

How are the above two inputs different?

 

Thanks in advance!!

 

Regards,

Ramesh

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Andres Villarroel
Level 1
Level 1
In response to ramesh.8901

‎06-01-2015 08:09 AM

Hello Remesh,

 

According to the configuration guide, this is the DAP connection sequence.

DAP Connection Sequence

The following sequence outlines a typical remote access connection establishment.

1. A remote client attempts a VPN connection.

2. The security appliance performs posture assessment, using configured NAC and Cisco Secure Desktop Host Scan values.

3. The security appliance authenticates the user via AAA. The AAA server also returns authorization attributes for the user.

4. The security appliance applies AAA authorization attributes to the session, and establishes the VPN tunnel.

5. The security appliance selects DAP records based on the user AAA authorization information and the session posture assessment information.

6. The security appliance aggregates DAP attributes from the selected DAP records, and they become the DAP policy.

7. The security appliance applies the DAP policy to the session.

http://www.cisco.com/c/en/us/td/docs/security/asdm/6_2/user/guide/asdmconfig/vpn_dap.html#wp1138997

 

And this is the policy enforcement flow that you are referring to.

The ASA applies attributes in the following order (see Figure C-1).

1. DAP attributes on the ASA—Introduced in Version 8.0(2), these attributes take precedence over all others. If you set a bookmark or URL list in DAP, it overrides a bookmark or URL list set in the group policy.

2. User attributes on the AAA server—The server returns these attributes after successful user authentication and/or authorization. Do not confuse these with attributes that are set for individual users in the local AAA database on the ASA (User Accounts in ASDM).

3. Group policy configured on the ASA—If a RADIUS server returns the value of the RADIUS CLASS attribute IETF-Class-25 (OU=group-policy) for the user, the ASA places the user in the group policy of the same name and enforces any attributes in the group policy that are not returned by the server.

For LDAP servers, any attribute name can be used to set the group policy for the session. The LDAP attribute map that you configure on the ASA maps the LDAP attribute to the Cisco attribute IETF-Radius-Class.

4. Group policy assigned by the Connection Profile (called tunnel-group in the CLI)—The Connection Profile has the preliminary settings for the connection, and includes a default group policy applied to the user before authentication. All users connecting to the ASA initially belong to this group, which provides any attributes that are missing from the DAP, user attributes returned by the server, or the group policy assigned to the user.

5. Default group policy assigned by the ASA (DfltGrpPolicy)—System default attributes provide any values that are missing from the DAP, user attributes, group policy, or connection profile.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/ref_extserver.html#wp1773735

 

The way I understand this is that the user connects to the VPN and to do this they need a connection profile and a group-policy. This will trigger the DAP connection sequence. If there are special AAA attributes (such a dACL) or group-policy attributes (such a VPN-filter), DAP will overwrite them according to the policy enforcement flow.

 

I hope this help

 

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Andres Villarroel
Level 1
Level 1

‎05-31-2015 04:43 AM

Connection profile is what we know in the CLI as tunnel-group and the group-policy are settings that you can attach per connection profile/tunnel group. There are scenarios were you can select a connection profile/tunnel group but you get mapped to different group policy. 

http://www.cisco.com/c/en/us/td/docs/security/asa/asa70/configuration/guide/config/vpngrp.html

The following link has a good example of this scenario. 

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98634-asa-ldap-group-pol.html

 

Now, in the DAP policies if you specify a cisco attribute for connection profile or/and group policy., you are configuring a policy ONLY when the user matches this attributes. In other words, this DAP will take place when the user is using the connection profile and/or group policy that is configured. 

 

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/asdm71/vpn/asdm_71_vpn_config/vpn_asdm_dap.html#pgfId-1183627

 

I hope this helps.

 

0 Helpful

Go to solution
ramesh.8901
Level 1
Level 1
In response to Andres Villarroel

‎05-31-2015 10:47 PM

Hi, Thanks for that. However to me that seems to go against the priority list for vpns - dap, user policy, user-group policy, policy assigned to connection profile and then default policy. So the dap would in this case check to see if the user comes in a connection profile and then check to see whether the defined (mentioned in the selection criteria) user-group policy is assigned to him and then apply the corresponding dap policy for it? This seems like it's going down the list and then coming back up. Can you help me understand that?
0 Helpful

Go to solution
Andres Villarroel
Level 1
Level 1
In response to ramesh.8901

‎06-01-2015 08:09 AM

Hello Remesh,

 

According to the configuration guide, this is the DAP connection sequence.

DAP Connection Sequence

The following sequence outlines a typical remote access connection establishment.

1. A remote client attempts a VPN connection.

2. The security appliance performs posture assessment, using configured NAC and Cisco Secure Desktop Host Scan values.

3. The security appliance authenticates the user via AAA. The AAA server also returns authorization attributes for the user.

4. The security appliance applies AAA authorization attributes to the session, and establishes the VPN tunnel.

5. The security appliance selects DAP records based on the user AAA authorization information and the session posture assessment information.

6. The security appliance aggregates DAP attributes from the selected DAP records, and they become the DAP policy.

7. The security appliance applies the DAP policy to the session.

http://www.cisco.com/c/en/us/td/docs/security/asdm/6_2/user/guide/asdmconfig/vpn_dap.html#wp1138997

 

And this is the policy enforcement flow that you are referring to.

The ASA applies attributes in the following order (see Figure C-1).

1. DAP attributes on the ASA—Introduced in Version 8.0(2), these attributes take precedence over all others. If you set a bookmark or URL list in DAP, it overrides a bookmark or URL list set in the group policy.

2. User attributes on the AAA server—The server returns these attributes after successful user authentication and/or authorization. Do not confuse these with attributes that are set for individual users in the local AAA database on the ASA (User Accounts in ASDM).

3. Group policy configured on the ASA—If a RADIUS server returns the value of the RADIUS CLASS attribute IETF-Class-25 (OU=group-policy) for the user, the ASA places the user in the group policy of the same name and enforces any attributes in the group policy that are not returned by the server.

For LDAP servers, any attribute name can be used to set the group policy for the session. The LDAP attribute map that you configure on the ASA maps the LDAP attribute to the Cisco attribute IETF-Radius-Class.

4. Group policy assigned by the Connection Profile (called tunnel-group in the CLI)—The Connection Profile has the preliminary settings for the connection, and includes a default group policy applied to the user before authentication. All users connecting to the ASA initially belong to this group, which provides any attributes that are missing from the DAP, user attributes returned by the server, or the group policy assigned to the user.

5. Default group policy assigned by the ASA (DfltGrpPolicy)—System default attributes provide any values that are missing from the DAP, user attributes, group policy, or connection profile.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/ref_extserver.html#wp1773735

 

The way I understand this is that the user connects to the VPN and to do this they need a connection profile and a group-policy. This will trigger the DAP connection sequence. If there are special AAA attributes (such a dACL) or group-policy attributes (such a VPN-filter), DAP will overwrite them according to the policy enforcement flow.

 

I hope this help

 

0 Helpful

Go to solution
ramesh.8901
Level 1
Level 1
In response to Andres Villarroel

‎06-02-2015 12:10 AM

Cheers Andres. That makes sense. Thank you for the help!!

0 Helpful
Customers Also Viewed These Support Documents