Support User Manuals

Cisco Systems OL-16647-01 Network Router User Manual

Open as PDF

of 1230

36-13

Cisco ASDM User Guide

OL-16647-01

Chapter 36 Configuring Dynamic Access Policies

Understanding VPN Access Policies

LDAP attributes consist of an attribute name and attribute value pair in the DAP record.

• RADIUS—The RADIUS client stores all native RADIUS response attribute value pairs in a

database associated with the AAA session for the user. The RADIUS client writes the response

attributes to the database in the order in which it receives them. It discards all subsequent attributes

with that name. This scenario might occur when a user record and a group record are both read from

the RADIUS server. The user record attributes are read first, and always have priority over group

record attributes.

RADIUS attributes consist of an attribute number and attribute value pair in the DAP record. Refer

toRefer to Security Appliance Supported RADIUS Attributes and Values for a table that lists

RADIUS attributes that the security appliance supports.for a table that lists RADIUS attributes that

the security appliance supports.

Note For RADIUS attributes, DAP defines the Attribute ID = 409 + RADIUS ID.

For example:

The RADIUS attribute "Access Hours" has a Radius ID = 1, therefore DAP attribute value =

4096 + 1 = 4097.

The RADIUS attribute "Member Of" has a Radius ID = 146, therefore DAP attribute value =

4096 + 146 = 4242.

• LDAP and RADIUS attributes include:

–

Attribute ID—Names/numbers the attribute. Maximum 64 characters.

–

Value— the attribute name (LDAP) or number (RADIUS).

–

=/!=—Equal to/Not equal to

• LDAP includes the Get AD Groups button. This button queries the LDAP server

The show ad-groups command applies only to Active Directory servers using LDAP. Use this command

to display AD groups that you can use for dynamic access policy AAA selection criteria.

The default time that the security appliance waits for a response from the server is 10 seconds. You can

adjust this time using the group-search-timeout command in aaa-server host configuration mode.

Note If the Active Directory server has a large number of groups, the output of the show ad-groups command

might be truncated based on limitations to the amount of data the server can fit into a response packet.

To avoid this problem, use the filter option to reduce the number of groups reported by the server.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode Security Context

Routed Transparent Single

Multiple

Context System

• • •——

previous next