Solved: Cisco ASA -Remote VPN connection - Dynamic access policy Help

jackfait1 · ‎02-09-2021

Hello,

I am writing a Dynamic Access Policy on a Cisco ASA for a Remote Access VPN Connection. We are using Cisco AnyConnect and our connection profile uses SAML. The Dynamic access policy Checks for SAML and checks for membership in a LDAP group.

My question, how do you write the AnyConnect Custom Attribute to select either a group policy or address pool based on the ldap group membership. I am having a hard time finding information on this.

Thanks

Dinesh Moudgil · ‎02-09-2021

Hi,

You could use LDAP Attribute mapping to associate user from a specific LDAP group to group-policy on an ASA.

Ref: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98634-asa-ldap-group-pol.html

For more examples:

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91831-mappingsvctovpn.html#anc14

Thank you,

Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

View solution in original post

Mohammed al Baqari · ‎02-09-2021

Hi,

If I get it correct, you can use ldap attribute map to map memberOf to
Group-Policy name. Then on the group policy assign different address pools

***** please remember to rate useful posts

Dinesh Moudgil · ‎02-09-2021

Hi,