Filter
Top Products
36-12
Cisco ASDM User Guide
OL-16647-01
Chapter 36 Configuring Dynamic Access Policies
Understanding VPN Access Policies
–
Both-default-AnyConnect Client—Connect via either clientless or the AnyConnect client, with
a default of AnyConnect.
Modes
The following table shows the modes in which this feature is available:
Add/Edit AAA Attributes
To configure AAA attributes as selection criteria for DAP records, in the Add/Edit AAA Attributes
dialog box, set the Cisco, LDAP, or RADIUS attributes that you want to use. You can set these attributes
either to = or != the value you enter. There is no limit for the number of AAA attributes for each DAP
record. For detailed information about AAA attributes, see AAA Attribute Definitions.
Fields
AAA Attributes Type—Use the drop down box to select Cisco, LDAP or RADIUS attributes:
• Cisco—Refers to user authorization attributes that are stored in the AAA hierarchical model. You
can specify a small subset of these attributes for the AAA selection attributes in the DAP
record.These include:
–
Group Policy —The group policy name associated with the user on the security appliance or sent
from a Radius/LDAP server as the IETF-Class (25) attribute. Maximum 64 characters.
–
IP Address—The assigned IP address for full tunnel VPN clients (IPsec, L2TP/IPsec, SSL VPN
AnyConnect). Does not apply to Clientless SSL VPN, since there is no address assignment for
clientless sessions
.
–
Connection Profile—The connection or tunnel group name. Maximum 64 characters.
–
Username—The username of the authenticated user. Maximum 64 characters. Applies if you are
using Local authentication/authorization.
–
=/!=—Equal to/Not equal to
• LDAP—The LDAP client stores all native LDAP response attribute value pairs in a database
associated with the AAA session for the user. The LDAP client writes the response attributes to the
database in the order in which it receives them. It discards all subsequent attributes with that name.
This scenario might occur when a user record and a group record are both read from the LDAP
server. The user record attributes are read first, and always have priority over group record attributes.
To support Active Directory group membership, the AAA LDAP client provides special handling of
the LDAP memberOf response attribute. The AD memberOf attribute specifies the DN string of a
group record in AD. The name of the group is the first CN value in the DN string. The LDAP client
extracts the group name from the DN string and stores it as the AAA memberOf attribute, and in the
response attribute database as the LDAP memberOf attribute. If there are additional memberOf
attributes in the LDAP response message, then the group name is extracted from those attributes and
is combined with the earlier AAA memberOf attribute to form a comma separated string of group
names, also updated in the response attribute database.
Firewall Mode Security Context
Routed Transparent Single
Multiple
Context System
• • •——