Hello, my goal is to create granular network access, with ACL concatination, based on AD groups to which user belongs.
For example, I want members of Group1 be able to connect only to Server1 (asume ACL1 permits it), and Group2 only to Server2 (ACL2)
It's trivial when I have only users which belong to only *one* of the groups.
I create following DAP:
DAP1: memberOf = Group1 -> apply ACL1
DAP2: memberOf = Group2 -> apply ACL2
The questions is - I can't force Cisco ASA to concatinate both ALC's, if user belongs to *both* groups. It apply only ACL1, trace says:
Selected DAP records
--------------------
DAP1
Although user in *both* groups.
I can't use solution when I create separate DAP3 with both groups defined in it, because two groups was just for example, I'll have about 10 of them.
Thank you for any suggestions!