cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7259
Views
0
Helpful
4
Replies

ASA Group policy and DAP

taroyamada9999
Level 1
Level 1

Hi all,

I am planning to implement SSL VPN on ASA 8.2.1.

For example, I create the following 2 DAP records to assign different access right.

Policy Name: Sales DAP

ldap.memberOf = Sales

Action: continue

Policy Name: Engineering DAP

ldap.memberOf = Engineering

Action: continue

The following group polices are already configured on ASA.

GP_sales

GP_engineering

If userA who is a member of Sales OU in Active directory access ASA, how ASA know userA should be associated with GP_sales?

Thanks

2 Accepted Solutions

Accepted Solutions

roshan.maskey
Level 1
Level 1

Hi,

You have to configure LDAP Server in your ASA and LDAP attribute is mapped with Cisco Attribute.(LDAP memberOf is mappe to GroupPolicy)

Then you have to configure LDAP Attribute mapping

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808d1a7c.shtml

View solution in original post

With DAP , a VPN remote access session can inherit  multiple rule sets (entitlements,authorization/access attributes) based on the varius DAPs that match.

Here's a simple example: if a Clientless SSL VPN VPN session matches  DAP 1 (bookmark_list 1 and book_mark_list2) and DAP 2 (bookmark_list3), then the resulting entitlement for the session is the aggregation/merge of 3 bookmark_lists on the users portal (bookmark_list 1+ book_mark_list2+bookmark_list3).

The VPN session is still associated with only a single group policy, but the access attributes configured in DAP will override the ones in the group-policy. So in this example if the session is associated with group-policyA which only has a single bookmark_list4, the bookmarkslists 1-3 will apply to the VPN session, and not bookmark_list4.

Since a VPN session can only be assigned/associated with a single Group-Policy, the concept  mergeing/aggrgating group policies doesn't exist. Hence the need for the DAPs.

As you know, currently the DAP doesn't have the ability to set all attributes like the group-policy's  Banner, Smart-tunnel-list,DNS,IP pool, etc.

That's why a remote access VPN session's resulting entitlement/authorization policy = (DAP access/authorization attributes+ AAA attributes+group-policy attributes+DfltGrpPolicy attributes).

View solution in original post

4 Replies 4

roshan.maskey
Level 1
Level 1

Hi,

You have to configure LDAP Server in your ASA and LDAP attribute is mapped with Cisco Attribute.(LDAP memberOf is mappe to GroupPolicy)

Then you have to configure LDAP Attribute mapping

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808d1a7c.shtml

I appreciate your help!

I understand how ASA know which user use which group policy.

Now I don't quite understand the power of DAP.

If I don't use DAP, what do I miss?

Thanks

With DAP , a VPN remote access session can inherit  multiple rule sets (entitlements,authorization/access attributes) based on the varius DAPs that match.

Here's a simple example: if a Clientless SSL VPN VPN session matches  DAP 1 (bookmark_list 1 and book_mark_list2) and DAP 2 (bookmark_list3), then the resulting entitlement for the session is the aggregation/merge of 3 bookmark_lists on the users portal (bookmark_list 1+ book_mark_list2+bookmark_list3).

The VPN session is still associated with only a single group policy, but the access attributes configured in DAP will override the ones in the group-policy. So in this example if the session is associated with group-policyA which only has a single bookmark_list4, the bookmarkslists 1-3 will apply to the VPN session, and not bookmark_list4.

Since a VPN session can only be assigned/associated with a single Group-Policy, the concept  mergeing/aggrgating group policies doesn't exist. Hence the need for the DAPs.

As you know, currently the DAP doesn't have the ability to set all attributes like the group-policy's  Banner, Smart-tunnel-list,DNS,IP pool, etc.

That's why a remote access VPN session's resulting entitlement/authorization policy = (DAP access/authorization attributes+ AAA attributes+group-policy attributes+DfltGrpPolicy attributes).

Sorry for late reply.

Thank you very much.

I understand how DAP and group policy interacts.

If DAP can cover all the setting, then things are more simple...