Can DAP Be Used to Assign Different IP Pools to SSL Clients

niall-wilkins · ‎02-23-2011

Hi,

Just wondering if DAP on the ASA can be used to detect devices connecting to the ASA via SSL VPN Client and then assign IP Pools based on OS's. So for example if an OS is iPhone or iPad connecting with SSL VPN, assign a VPN policy with an IP address Pool of say 172.x.x.x and if a connecting SSL VPN client is a Laptop detect that its OS is XP and assign a range of 192.x.x.x and then direct Laptops and OS's to different parts of the network based on this.

Thanks

Jennifer Halim · ‎02-26-2011

No, not exactly as how you describe it. DAP can't assign SSL Clients to use different policy depending what OS they are using.

However, what you can do with DAP is as follows:

- Create multiple tunnel group for different OS that refers to group-policy where you have setup the necessary pool of addresses.

- With DAP, you check on the tunnel group that they choose as well as which OS they are coming from, and allow them access or block them access.

Here is an example:

- User using Windows XP, and choosed the tunnel-group that says XP when they connect. DAP will detect whether their OS is XP or not, if it is XP, it will allow them access, and if not, it will not allow them access.

- If the user uses iPhone, and chooses tunnel group that says XP, when they connect, DAP will detect that OS is not XP, and will not allow them access.

- Second time the user tries to connect, they will know that if they don't choose the correct tunnel group, they will not have access. Hence, they will use the correct tunnel-group depending on which OS they are connection from.

Hope this helps.