07-28-2011 03:05 PM
Hello,
We have an ASA that currently works for the AnyConnect client from PCs and uses Dynamic Access Policies to query LDAP with the username and applies ACLs based off the group membership in LDAP.
Now I'm trying to configure mobile devices using the Anyconnect mobile app and authenticating with certificates. I get connected correctly but the DAP doesn't get applied. I originally thought this was because the cert has your e-mail or CN as your username which would not match the LDAP username. So I used the built in ability of the ASA to run a script to parse the e-mail cert and obtain the username. I can tell from debugging the ASA that the script correctly obtains the username:
http_webvpn_post_authorize: AUTH_ACCEPT, WEBVPN_AUTH_USERNAME = **********
But it still doesn't apply the DAP. Looking at the debug output I'm curious about the "post_authorize". I'm wondering if the DAP is getting processed before the parsing is taking place.
If anybody has any insight or prior experience with this I'd appreciate it.
Thanks
Update: Using monitoring in ASDM and clicking on details for my mobile connection I can see that DAP is applying the default deny access when the username does not match anything in LDAP. Which still leaves me wondering if the parsing is taking place after DAP is applied.
08-01-2011 05:48 PM
Figured it out.
Under the group profiles for both Authentication and Authorization I had the ”use script to get username” setup but under the Authorization tab I did not have the Authorization server group selected.
08-21-2011 09:11 PM
Great to hear that
Please mark this post as resolved.
Thanks for posting on CSC.
Take care.
09-09-2011 04:17 PM
I don't see a way to mark the post as resolved. Since I answered the question myself, there is no "Correct Answer" on my own reply.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide