Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7258
Views
0
Helpful
4
Replies

ASA Group policy and DAP

Go to solution
taroyamada9999
Level 1
Level 1

‎12-03-2009 01:06 AM

Hi all,

I am planning to implement SSL VPN on ASA 8.2.1.

For example, I create the following 2 DAP records to assign different access right.

Policy Name: Sales DAP

ldap.memberOf = Sales

Action: continue

Policy Name: Engineering DAP

ldap.memberOf = Engineering

Action: continue

The following group polices are already configured on ASA.

GP_sales

GP_engineering

If userA who is a member of Sales OU in Active directory access ASA, how ASA know userA should be associated with GP_sales?

Thanks

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
roshan.maskey
Level 1
Level 1

‎12-03-2009 03:03 AM

Hi,

You have to configure LDAP Server in your ASA and LDAP attribute is mapped with Cisco Attribute.(LDAP memberOf is mappe to GroupPolicy)

Then you have to configure LDAP Attribute mapping

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808d1a7c.shtml

View solution in original post

0 Helpful

Go to solution
Nelson Rodrigues
Cisco Employee
Cisco Employee
In response to taroyamada9999

‎12-16-2009 08:25 AM

With DAP , a VPN remote access session can inherit  multiple rule sets (entitlements,authorization/access attributes) based on the varius DAPs that match.

Here's a simple example: if a Clientless SSL VPN VPN session matches  DAP 1 (bookmark_list 1 and book_mark_list2) and DAP 2 (bookmark_list3), then the resulting entitlement for the session is the aggregation/merge of 3 bookmark_lists on the users portal (bookmark_list 1+ book_mark_list2+bookmark_list3).

The VPN session is still associated with only a single group policy, but the access attributes configured in DAP will override the ones in the group-policy. So in this example if the session is associated with group-policyA which only has a single bookmark_list4, the bookmarkslists 1-3 will apply to the VPN session, and not bookmark_list4.

Since a VPN session can only be assigned/associated with a single Group-Policy, the concept  mergeing/aggrgating group policies doesn't exist. Hence the need for the DAPs.

As you know, currently the DAP doesn't have the ability to set all attributes like the group-policy's  Banner, Smart-tunnel-list,DNS,IP pool, etc.

That's why a remote access VPN session's resulting entitlement/authorization policy = (DAP access/authorization attributes+ AAA attributes+group-policy attributes+DfltGrpPolicy attributes).

View solution in original post

0 Helpful
4 Replies 4

Go to solution
roshan.maskey
Level 1
Level 1

‎12-03-2009 03:03 AM

Hi,

You have to configure LDAP Server in your ASA and LDAP attribute is mapped with Cisco Attribute.(LDAP memberOf is mappe to GroupPolicy)

Then you have to configure LDAP Attribute mapping

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808d1a7c.shtml

0 Helpful

Go to solution
taroyamada9999
Level 1
Level 1
In response to roshan.maskey

‎12-03-2009 04:58 PM

I appreciate your help!

I understand how ASA know which user use which group policy.

Now I don't quite understand the power of DAP.

If I don't use DAP, what do I miss?

Thanks

0 Helpful

Go to solution
Nelson Rodrigues
Cisco Employee
Cisco Employee
In response to taroyamada9999

‎12-16-2009 08:25 AM

With DAP , a VPN remote access session can inherit  multiple rule sets (entitlements,authorization/access attributes) based on the varius DAPs that match.

Here's a simple example: if a Clientless SSL VPN VPN session matches  DAP 1 (bookmark_list 1 and book_mark_list2) and DAP 2 (bookmark_list3), then the resulting entitlement for the session is the aggregation/merge of 3 bookmark_lists on the users portal (bookmark_list 1+ book_mark_list2+bookmark_list3).

The VPN session is still associated with only a single group policy, but the access attributes configured in DAP will override the ones in the group-policy. So in this example if the session is associated with group-policyA which only has a single bookmark_list4, the bookmarkslists 1-3 will apply to the VPN session, and not bookmark_list4.

Since a VPN session can only be assigned/associated with a single Group-Policy, the concept  mergeing/aggrgating group policies doesn't exist. Hence the need for the DAPs.

As you know, currently the DAP doesn't have the ability to set all attributes like the group-policy's  Banner, Smart-tunnel-list,DNS,IP pool, etc.

That's why a remote access VPN session's resulting entitlement/authorization policy = (DAP access/authorization attributes+ AAA attributes+group-policy attributes+DfltGrpPolicy attributes).

0 Helpful

Go to solution
taroyamada9999
Level 1
Level 1
In response to Nelson Rodrigues

‎12-16-2009 04:54 PM

Sorry for late reply.

Thank you very much.

I understand how DAP and group policy interacts.

If DAP can cover all the setting, then things are more simple...

0 Helpful
Customers Also Viewed These Support Documents