Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
513
Views
1
Helpful
1
Replies

Cisco ASA DAP & Cloud Native (Azure AD) Windows Devices

Go to solution
jm777
Level 1
Level 1

‎01-09-2024 11:58 AM - edited ‎01-09-2024 11:59 AM

Hi All, 

Looking for suggestions on the best way to use DAP on ASA for Cloud Native (specifically Azure AD) Windows devices using AnyConnect VPN. A cloud native Windows device does not have a registry value for domain - so, wondering if anyone else has run into this. 

Thanks!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Ruben Cocheno
Spotlight
Spotlight

‎01-09-2024 12:24 PM

@jm777 

Release of Cisco ASA version 9.17, you can now use various SAML Assertion attributes contained in the “SAML ticket” issued to the client (from the IDP) and sent to the ASA when SAML Authentication is taking place in AnyConnect. Using this approach, you can ask your IDP administrator to include AD Group memberships or attributes as “assertions attributes” in the SAML-ticket if the IDP has an integration with the Active Directory, and when this ticket is shown to the ASA inside AnyConnect for authentication purposes, the ASA sees these attributes and you can then use these as parameters in Dynamic Access Policies (DAP) to build your access rules.

Tag me to follow up.
Please mark it as Helpful and/or Solution Accepted if that is the case. Thanks for making Engineering easy again.
Connect with me for more on Linkedin https://www.linkedin.com/in/rubencocheno/

View solution in original post

1 Reply 1

Go to solution
Ruben Cocheno
Spotlight
Spotlight

‎01-09-2024 12:24 PM

@jm777 

Release of Cisco ASA version 9.17, you can now use various SAML Assertion attributes contained in the “SAML ticket” issued to the client (from the IDP) and sent to the ASA when SAML Authentication is taking place in AnyConnect. Using this approach, you can ask your IDP administrator to include AD Group memberships or attributes as “assertions attributes” in the SAML-ticket if the IDP has an integration with the Active Directory, and when this ticket is shown to the ASA inside AnyConnect for authentication purposes, the ASA sees these attributes and you can then use these as parameters in Dynamic Access Policies (DAP) to build your access rules.

Tag me to follow up.
Please mark it as Helpful and/or Solution Accepted if that is the case. Thanks for making Engineering easy again.
Connect with me for more on Linkedin https://www.linkedin.com/in/rubencocheno/
Customers Also Viewed These Support Documents