Cisco ASA 5505 Configuration Manual page 1450

Understanding VPN Access Policies
Click the blinking ! to see the message and links for remediation.
Step 5
Additional Lua Functions
When working with dynamic access policies for clientless SSL VPN, you might need additional
flexibility of match criteria. For example, you might want to apply a different DAP based on the
following:
•
•
You can accomplish this flexibility by creating a Lua logical expression in the Advanced section of the
DAP pane in ASDM.
OU-Based Match Example
DAP can use many attributes returned from an LDAP server in a logical expression. See the DAP trace
section for example output of this, or run a debug dap trace.
The LDAP server returns the user Distinguished Name (DN). This implicitly identifies where in the
directory the user object is located. For example, if the user DN is CN=Example
User,OU=Admins,dc=cisco,dc=com this user is located in OU=Admins,dc=cisco,dc=com. If all
administrators are in this OU (or any container below this level) you can use a logical expression to
match on this criteria as follows:
assert(function()
if ( (type(aaa.ldap.distinguishedName) == "string") and
then
end
return false
end)()
In this example, the string.find function allows for a regular expression. Use the $ at the end of the string
to anchor this string to the end of the distinguishedName field.
Group Membership Example
You can create a basic logical expression for pattern matching of AD group membership. Because users
can be members of multiple groups, DAP parses the response from the LDAP server into separate entries
in a table. You need an advanced function to accomplish the following:
•
•
The function we have written and tested for this purpose is shown below. In this example, if a user is a
member of any group ending with "-stu" they match this DAP.
assert(function()
local pattern = "-stu$"
local attribute = aaa.ldap.memberOf
if ((type(attribute) == "string") and
Cisco ASA 5500 Series Configuration Guide using ASDM
65-26
Organizational Unit (OU) or other level of the hierarchy for the user object
Group Name that follows a naming convention but has many possible matches—you might require
the ability to use a wildcard on group names.
(string.find(aaa.ldap.distinguishedName, "OU=Admins,dc=cisco,dc=com$") ~= nil) )
return true
Compare the memberOf field as a string (in the event the user belongs to only one group).
Iterate through each returned memberOf field if the returned data is of type "table".
(string.find(attribute, pattern) ~= nil)) then
return true
Chapter 65 Configuring Dynamic Access Policies
OL-20339-01