We have an ASA 5505 and its configured to use a Freeradius server that authenticates against openLDAP. I'm trying to configure Dynamic Access Policies to restrict access based upon what group a user belongs to. In LDAP I have an attribute called vpnaccess with values "systems" and "common". I've created an LDAP Attribute Map mapping the vpnaccess to `Cisco IETF-Radius-Class', mapped the two attribute values to Cisco Attribute Values. I think this is where I get hung up. I created a DAP policy with a AAA Attribute: Radius.25 = vpnAccess. When I connect it doesn't select my DAP policy but falls through and selects the DflltAccessPolicy which I have configured to terminate the connection.
In ASDM under DAP I run Test Dynamic Access Policies...
it selects the correct DAP policy "CiscoMapPolicy", but when I use a client it runs the DfltAccessPolicy.
LUA session data tables:
endpoint.application.clienttype = AnyConnect
aaa.radius.25 = vpnAccess
aaa.radius.1 = vpnAccess
aaa.radius.4242 = vpnAccess
aaa.cisco.username = user-name
aaa.cisco.tunnelgroup = TGIVPN
aaa.ldap.memberOf = systems
aaa.ldap.vpnAccess = systems
Selected DAP records
The DAP policy contains the following attributes for user:
Site to Site IPSec VPN with Dynamic IP Endpoint is typically used when we have a branch sites which obtains a dynamic public IP from the Internet ISP. For example an ADSL connection.One important note is that Site-to-Site VPN with Dynamic remote routers P...
On R1, configure a key ring that defines the peer R3:Address: 220.127.116.11Local and remote pre-shared key: cisco R1(config)#crypto ikev2 keyring KRR1(config-ikev2-keyring)# peer R3R1(config-ikev2-keyring-peer)# address 18.104.22.168R1(config-ikev2-keyring-pee...
This document shows how to use the Port Radius NAS PORT Id Attribute in a compound condition to control access with 802.1X.A user jdoe is allowed to access the network only through the physical port FastEthernet 0/1 of the switch and the user jwhite is al...
This document provides a configuration example of Security Assertion Markup Language (SAML) Authentication on FTD managed over FDM. The configuration allows Anyconnect users to establish a VPN session authenticating with a SAML Identity Serv...
DMVPN Dual Hub Dual Cloud Pros and ConsProsNo single point of failureQuick failover if routing protocols are tunedLoad balancing is easyTraffic engineering is easyEasy to work with multiple ISPsConsNeed 2 tunnels per spokeConfiguration is more complicated...