Filter
Top Products
36-22
Cisco ASDM User Guide
OL-16647-01
Chapter 36 Configuring Dynamic Access Policies
Understanding VPN Access Policies
Using DAP to Apply a WebVPN ACL
DAP can directly enforce a subset of access policy attributes including Network ACLs (for IPsec and
AnyConnect), clientless SSL VPN Web-Type ACLs, URL lists, and Functions. It cannot directly
enforce, for example, a banner or the split tunnel list, which the group policy enforces. The Access
Policy Attributes tabs in the Add/Edit Dynamic Access Policy pane provide a complete menu of the
attributes DAP directly enforces.
Active Directory/LDAP stores user group policy membership as the “memberOf” attribute in the user
entry. You can define a DAP such that for a user in AD group (memberOf) = Engineering the security
appliance applies a configured Web-Type ACL. To accomplish this task, perform the following steps:
Step 1 Navigate to the Add AAA attributes pane (Configuration > Remote Access VPN > Clientless SSL VPN
Access > Dynamic Access Policies > Add/Edit Dynamic Access Policy > AAA Attributes section > Add
AAA Attribute).
Step 2 For the AAA Attribute type, use the drop-down menu to select LDAP.
Step 3 In the Attribute ID field, enter memberOf, exactly as you see it here. Case is important.
Step 4 In the Value field, use the drop-down menu to select =, and in the adjacent text box enter Engineering.
Step 5 In the Access Policy Attributes area of the pane, click the Web-Type ACL Filters tab.
Step 6 Use the Web-Type ACL drop-down menu to select the ACL you want to apply to users in the AD group
(memberOf) = Engineering.
Enforcing CSD Checks and Applying Policies via DAP
This example creates a DAP that checks that a user belongs to two specific AD/LDAP groups
(Engineering and Employees) and a specific ASA tunnel group. It then applies an ACL to the user.
The ACLs that DAP applies control access to the resources. They override any ACLS defined the group
policy on the security appliance. In addition, the security appliance applied the regular AAA group
policy inheritance rules and attributes for those that DAP does not define or control, examples being split
tunneling lists, banner, and DNS.
Step 1 Navigate to the Add AAA attributes pane (Configuration > Remote Access VPN > Clientless SSL VPN
Access > Dynamic Access Policies > Add/Edit Dynamic Access Policy > AAA Attributes section > Add
AAA Attribute).
Step 2 For the AAA Attribute type, use the drop-down menu to select LDAP.
Step 3 In the Attribute ID field, enter memberOf, exactly as you see it here. Case is important.
Step 4 In the Value field, use the drop-down menu to select =, and in the adjacent text box enter Engineering.
Step 5 In the Attribute ID field, enter memberOf, exactly as you see it here. Case is important.
Step 6 In the Value field, use the drop-down menu to select =, and in the adjacent text box enter Employees.
Step 7 For the AAA attribute type, use the drop-down menu to select Cisco.
Step 8 Check the Tunnel group box, use the drop-down menu to select =, and in the adjacent drop down box
select the appropriate tunnel group (connection policy).
Step 9 In the Network ACL Filters tab of the Access Policy Attributes area, select the ACLs to apply to users
who meet the DAP criteria defined in the previous steps.