Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1122
Views
0
Helpful
1
Replies

Multiple match in Cisco ASA DAP for AD groups

misha_bac
Level 1
Level 1

‎03-22-2011 11:06 AM

Hello, my goal is to create granular network access, with ACL concatination, based on AD groups to which user belongs.

For example, I want members of Group1 be able to connect only to Server1 (asume ACL1 permits it), and Group2 only to Server2 (ACL2)

It's trivial when I have only users which belong to only *one* of the groups.

I create following DAP:

DAP1: memberOf = Group1 -> apply ACL1

DAP2: memberOf = Group2 -> apply ACL2

The questions is - I can't force Cisco ASA to concatinate both ALC's, if user belongs to *both* groups. It apply only ACL1, trace says:

Selected DAP records

--------------------

DAP1

Although user in *both* groups.

I can't use solution when I create separate DAP3 with both groups defined in it, because two groups was just for example, I'll have about 10 of them.

Thank you for any suggestions!

Labels:
0 Helpful
1 Reply 1

misha_bac
Level 1
Level 1

‎03-22-2011 12:04 PM

Okay, actually it works as expected, in debug dap trace I see that DAPs get concatinated, 'Test dynamic policy' in ASDM confused me, because it didn't want to apply both my policies, seem bug in it.

0 Helpful
Customers Also Viewed These Support Documents