Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
621
Views
0
Helpful
3
Replies

Cisco ASA -Remote VPN connection - Dynamic access policy Help

Go to solution
jackfait1
Level 1
Level 1

‎02-09-2021 08:22 AM

Hello,

I am writing a Dynamic Access Policy on a Cisco ASA for a Remote Access VPN Connection. We are using Cisco AnyConnect and our connection profile uses SAML. The Dynamic access policy Checks for SAML and checks for membership in a LDAP group.

My question, how do you write the AnyConnect Custom Attribute to select either a group policy or address pool based on the ldap group membership. I am having a hard time finding information on this.

 

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Dinesh Moudgil
Cisco Employee
Cisco Employee

‎02-09-2021 09:11 AM

Hi,

 

You could use LDAP Attribute mapping to associate user from a specific LDAP group to group-policy on an ASA.

Ref: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98634-asa-ldap-group-pol.html

 

For more examples:

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91831-mappingsvctovpn.html#anc14


Thank you,

Dinesh Moudgil

 

P.S. Please rate helpful posts.

 

 

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎02-09-2021 09:08 AM

Hi,

If I get it correct, you can use ldap attribute map to map memberOf to
Group-Policy name. Then on the group policy assign different address pools

***** please remember to rate useful posts
0 Helpful

Go to solution
Dinesh Moudgil
Cisco Employee
Cisco Employee

‎02-09-2021 09:11 AM

Hi,

 

You could use LDAP Attribute mapping to associate user from a specific LDAP group to group-policy on an ASA.

Ref: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98634-asa-ldap-group-pol.html

 

For more examples:

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91831-mappingsvctovpn.html#anc14


Thank you,

Dinesh Moudgil

 

P.S. Please rate helpful posts.

 

 

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/
0 Helpful

Go to solution
jackfait1
Level 1
Level 1
In response to Dinesh Moudgil

‎02-13-2021 09:36 AM

Thanks! Worked Great!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents