Understanding VPN Access Policies
•
The show ad-groups command applies only to Active Directory servers using LDAP. Use this command
to display AD groups that you can use for dynamic access policy AAA selection criteria.
The default time that the adaptive security appliance waits for a response from the server is 10 seconds.
You can adjust this time using the group-search-timeout command in aaa-server host configuration
mode.
If the Active Directory server has a large number of groups, the output of the show ad-groups command
Note
might be truncated based on limitations to the amount of data the server can fit into a response packet.
To avoid this problem, use the filter option to reduce the number of groups reported by the server.
Modes
The following table shows the modes in which this feature is available:
Firewall Mode
Routed
•
Retrieving Active Directory Groups
Figure 65-5
Figure 65-5
Cisco ASA 5500 Series Configuration Guide using ASDM
65-18
=/!=—Equal to/Not equal to.
–
LDAP includes the Get AD Groups button. This button queries the Active Directory LDAP server
for the list of groups the user belong to (memberOf enumerations). It retrieves the AD groups using
the CLI show-ad-groups command in the background
Security Context
Transparent Single
•
•
shows the Retrieve AD Groups from Selected AD Server Group pane.
Retrieve AD Groups Dialog Box
Chapter 65
Multiple
Context
System
—
—
Configuring Dynamic Access Policies
OL-20339-01