Cisco Anyconnect using Dynamic Access Policies and Cert Authentication

brianhill88 · ‎07-28-2011

Hello,

We have an ASA that currently works for the AnyConnect client from PCs and uses Dynamic Access Policies to query LDAP with the username and applies ACLs based off the group membership in LDAP.

Now I'm trying to configure mobile devices using the Anyconnect mobile app and authenticating with certificates. I get connected correctly but the DAP doesn't get applied. I originally thought this was because the cert has your e-mail or CN as your username which would not match the LDAP username. So I used the built in ability of the ASA to run a script to parse the e-mail cert and obtain the username. I can tell from debugging the ASA that the script correctly obtains the username:

http_webvpn_post_authorize: AUTH_ACCEPT, WEBVPN_AUTH_USERNAME = **********

But it still doesn't apply the DAP. Looking at the debug output I'm curious about the "post_authorize". I'm wondering if the DAP is getting processed before the parsing is taking place.

If anybody has any insight or prior experience with this I'd appreciate it.

Thanks

Update: Using monitoring in ASDM and clicking on details for my mobile connection I can see that DAP is applying the default deny access when the username does not match anything in LDAP. Which still leaves me wondering if the parsing is taking place after DAP is applied.

brianhill88 · ‎08-01-2011

Figured it out.

Under the group profiles for both Authentication and Authorization I had the ”use script to get username” setup but under the Authorization tab I did not have the Authorization server group selected.

Javier Portuguez · ‎08-21-2011

Great to hear that

Please mark this post as resolved.

Thanks for posting on CSC.

Take care.

brianhill88 · ‎09-09-2011

I don't see a way to mark the post as resolved. Since I answered the question myself, there is no "Correct Answer" on my own reply.