ASAv Dynamic Access Policies not applying according to group claim

Smartlink IT · ‎09-30-2024

We are trying to get the ASA Dynamic Access Policies to restrict the users to certain ACLs by a group claim attribute from the Entra/Azure Enterprise application. The group claim seems to be getting to the ASA:

But the DAP does not apply.

I can test the DAP conditions through ASDM and they pass, the DAP is applied during the ASDM test. But when connecting, the group attribute does not seem to be evaluated by the ASA. I can change the DAP configuration AAA attributes from "User has ANY of the following AAA Attributes values..." to "User has NONE of the following AAA Attributes values...", and the ASA determines that the user does not have any groups and assigns the DAP policy. As soon as I switch that back I cannot get the DAP to apply.

It is as though the group attribute is not there, even though the DAP Trace in the ASA shows the group attribute.

I have a ticket open with Cisco TAC but after over a week of emailing with them and trying different approaches we are no closer to getting this to work. Cisco TAC wanted me to try using a aaa.cisco (cisco_group_policy) attribute and tie that to a Group Policy but that hasn't yielded any results either.

crHL · ‎11-21-2024

Did you find any resolve for this?

I have the same issue when trying to integrate Duo's solution for this, and was thinking of switching to Entra. However, now that I know it didn't work with Duo I decided to search if it was a problem with Entra and found your post. Before I waste even MORE time implementing something that isn't going to end up working, I was hoping to find out if you had success.