Showing results for 
Search instead for 
Did you mean: 

ASA WebVPN. How do you restrict access to users in an AD group using LDAP?

Hi All,

I am trying to configure separate WebVPN connection profiles to give different portal bookmark contents to users based on their AD group membership.  This has been very difficult, even though I beleive it should be easy.

The login page of teh ASA by default has a dropdown to allow default users to access the default portal and the SSL VPN client connection.

There are two other portals that I would like to restrict access to based on AD group membership.  I have set these up to be selected by URL.

The biggest problem is, I have no way of knowing how to go about this.  The AAA LDAP options show a group membership search, which I have configured, but I cannot say "Profile X is restricted to AD group CarpetBaggers", so that if soneone that is NOT a carpetbagger tries to log in, it fails.

I can only do an all or nothing scenario.

It would be nice to use Dynamic Access Policies to do this, and I have created a few, but they do NOT seem to work when the drop down aliases or URLs are in use.  So how do I go about using them in this scenario?  Turning off the aliases or URLs is not really an option right now.

Scenario 1 would work the best for me.  Restrict access to profiles/groups based on AD group membership using LDAP.

Scenario 2 would be an ideal longer term solution.

Any thoughts, ideas or assitance would be greatly appreciated.


Nelson Rodrigues
Cisco Employee

PLease checkout the DAP deployment guide

So each VPN session will come in on a specific Connection Profile (aka Tunnel Group - TG ) , with each TG having a default group-policy, GP. The GP contains the authorization attributes to apply to the session. DAP is a specialized Group Policy, but currently cannot set all attributes that the legacy GP does. DAP allows aggregation of authorization attributes , which the GP doesn't.

So for your case:

1) Connection ProfileX , Group-Policy X, 1 or more DAP(s) that check for ldap attribute.memberOf=CarpetBaggers

Set the Action=Continue

Note: LDAP attributes are case sensitive, so make sure memberOf    has capital O.

2) Set the DfltAccessPolicy DAP for Action=Terminate

3) Set you Connection Profile for LDAp authentication

4) on you console you can see the DAp processing by "debug dap trace".



This is exactly what i was looking for, and Nelson is correct.  When you enter the DAP configuration for a profile click on "Advanced" and there is the option to create a logical expression.  The guide (ther is a button to access this) is really helpful, with a couple of examples.  This is what i used:

   if ( (type(aaa.ldap.distinguishedName) == "string") and
        (string.find(aaa.ldap.distinguishedName, "OU=Users") ~= nil) )
       return true
   return false

from the debug dap you can see what Users relates to;

DAP_TRACE: Username: MyUsername, aaa.ldap.distinguishedName = CN=Mr B,OU=Users,OU=Site ******,DC=CH,DC=Mycompany,DC=com

My admin account fails to get me in to the same profile:

DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["distinguishedName"]="CN=Admin Mr B,OU=Admin Users,OU=Site *****,DC=CH,DC=Mycompany,DC=com"



Hi all,

i will get back to that post since there is something else that i would like to ask.

I have configured DAP policies and also user access lists(with the AD client installed).

But, what if you want the below scenario:

Apply policies between source AND destinations AD Groups.

Let the following 3 groups exist in the AD: sales, presales, accounting,

i want webvpn users to have the following policies:

sales<-> sales : allow

presales<->presales: allow

sales<->presales: allow

sales<->accounting deny

presales<->accounting deny

accounting<->accounting allow

Keep in mind that i don't want to keep and maintain different client pools for each group.

I want to be dynamic.

it would be great if i could use user based ACLs with source and destination users or/and groups.

Recognize Your Peers
Content for Community-Ad