Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
249
Views
0
Helpful
3
Replies

ASAv DAP + LDAP - how match users to tunnel-group or group-policy

sSiDiUSs
Level 1
Level 1

‎03-04-2025 03:13 AM - edited ‎03-04-2025 06:15 AM

Looking in https://community.cisco.com/t5/vpn/how-dap-are-mapped-to-tunnel-group/td-p/5222894
not very clear to me... we do not use ISE or RADIUS yet.

read a lot of threads here and manual, but do not understand how make DAP do not affect other users  

I have 10 TG and so 10 GP, also LDAP attribute map to all GPs. 10 diffenrent CN in AD with acl-split applied in GP on ASAv

1 GP or TG, say CONTACTORS have to be checked by hostscan\DAP (security reasons) all the rest GP and TG untouched(emplyees).
When I configure DAP to check registry and installed corp software for CONTACTORS I see in DAP trace in connects and checks fine.
But, when i use any other groups in anyconnect client i get dropped by "vpntester, Selected DAPs: DfltAccessPolicy"
do i need to create DAPs for all GP or TG?

Labels:
0 Helpful
3 Replies 3

sSiDiUSs
Level 1
Level 1

‎03-10-2025 05:13 AM

ok, something is a bit clear to me.
Could find info in manual about ACL standart split and dap network ACL
I do not see routes in client tab "route details"... if i use scheme without split access. Without split ACL there is no internet access., but i could access hosts\networks defined in DAP Nework ACL.
Does in mean, that without split ACL there are "full tunnel network" and if NAT is not configured, user has access only to hosts\networks defined in DAP Network ACL?

0 Helpful

sSiDiUSs
Level 1
Level 1

‎03-10-2025 07:11 AM

Am I right? - if Split standart ACL configured on all GP, and 1 DAP rule pointing to GP1, 2nd to GP2...and etc
what is benefit from ACL in DAP called Network ACL? Contol traffic with specified protocol and\or ports?
the point is I am trying to achieve is to run DAP with security check on 1 GP and the rest should be bypassed.

0 Helpful

sSiDiUSs
Level 1
Level 1

‎03-11-2025 12:48 AM

i have noticed during boot that ASAv do not like hostscan image ,(image are from .zip file download from support site cisco.) and some dynamic-config.json

webvpn
 enable OUTSIDE
 http-headers
  hsts-server
   enable
   max-age 31536000
   include-sub-domains
   no preload
  hsts-client
   enable
  x-content-type-options
  x-xss-protection
  content-security-policy
 hostscan image disk0:/hostscan_4.10.08029-k9.pkg
 hostscan enable
 anyconnect image disk0:/VPNSSL/anyconnect-win-4.10.08029-webdeploy-k9.pkg 1 regex "Windows NT"
 anyconnect image disk0:/VPNSSL/anyconnect-macos-4.10.08029-webdeploy-k9.pkg 2 regex "Intel Mac OS X"
 anyconnect image disk0:/VPNSSL/anyconnect-linux64-4.10.08029-webdeploy-k9.pkg 3 regex "Linux"

is that messages OK?
I have tried 9.18 and 9.19 IOS, but the messages still appear. 

Preview file
164 KB
0 Helpful
Customers Also Viewed These Support Documents