Cisco ASA 5505 Configuration Manual page 1454

Understanding VPN Access Policies
Enforcing CSD Checks and Applying Policies via DAP
This example creates a DAP that checks that a user belongs to two specific AD/LDAP groups
(Engineering and Employees) and a specific ASA tunnel group. It then applies an ACL to the user.
The ACLs that DAP applies control access to the resources. They override any ACLS defined the group
policy on the adaptive security appliance. In addition, the adaptive security appliance applied the regular
AAA group policy inheritance rules and attributes for those that DAP does not define or control,
examples being split tunneling lists, banner, and DNS. To accomplish this task, perform the following
steps.
Navigate to the Add AAA attributes pane (Configuration > Remote Access VPN > Clientless SSL VPN
Step 1
Access > Dynamic Access Policies > Add/Edit Dynamic Access Policy > AAA Attributes section > Add
AAA Attribute).
Step 2 For the AAA Attribute type, use the drop-down menu to choose LDAP.
Step 3 In the Attribute ID field, enter memberOf, exactly as you see it here. Case is important.
In the Value field, use the drop-down menu to choose =, and in the adjacent field enter Engineering.
Step 4
In the Attribute ID field, enter memberOf, exactly as you see it here. Case is important.
Step 5
In the Value field, use the drop-down menu to select =, and in the adjacent field enter Employees.
Step 6
For the AAA attribute type, use the drop-down menu to choose Cisco.
Step 7
Check the Tunnel group box, use the drop-down menu to choose =, and in the adjacent drop-down list
Step 8
select the appropriate tunnel group (connection policy).
In the Network ACL Filters tab of the Access Policy Attributes area, choose the ACLs to apply to users
Step 9
who meet the DAP criteria defined in the previous steps.
Cisco ASA 5500 Series Configuration Guide using ASDM
65-30
Chapter 65 Configuring Dynamic Access Policies
OL-20339-01