Hi,
We have an ASA 5505 and its configured to use a Freeradius server that authenticates against openLDAP. I'm trying to configure Dynamic Access Policies to restrict access based upon what group a user belongs to. In LDAP I have an attribute called vpnaccess with values "systems" and "common". I've created an LDAP Attribute Map mapping the vpnaccess to `Cisco IETF-Radius-Class', mapped the two attribute values to Cisco Attribute Values. I think this is where I get hung up. I created a DAP policy with a AAA Attribute: Radius.25 = vpnAccess. When I connect it doesn't select my DAP policy but falls through and selects the DflltAccessPolicy which I have configured to terminate the connection.
In ASDM under DAP I run Test Dynamic Access Policies...
it selects the correct DAP policy "CiscoMapPolicy", but when I use a client it runs the DfltAccessPolicy.
LUA session data tables:
------------------------
endpoint.application.clienttype = AnyConnect
aaa.radius.25 = vpnAccess
aaa.radius.1 = vpnAccess
aaa.radius.4242 = vpnAccess
aaa.cisco.username = user-name
aaa.cisco.tunnelgroup = TGIVPN
aaa.ldap.memberOf = systems
aaa.ldap.vpnAccess = systems
Selected DAP records
--------------------
CiscoMapPolicy
The DAP policy contains the following attributes for user:
--------------------------------------------------------------------------
1: action = continue
Any ideas where I've gone wrong or can you point me in the right direction?
Thanks in advance.
Clients: SSL/AnyConnect
ASDM: 6.2
ASA: 8.2(1)