Dynamic access policies (DAP), a new feature introduced in software release 8.0 code of the ASA, enable you to configure authorization that addresses the dynamics of VPN environments. You create a dynamic access policy by setting a collection of access control attributes that you associate with a specific user tunnel or session. These attributes address issues of multiple group membership and endpoint security.
The ASA grants access to a particular user for a particular session based on the policies you define. It generates a DAP during user authentication by selecting and/or aggregating attributes from one or more DAP records. It selects these DAP records based on the endpoint security information of the remote device and/or AAA authorization information for the authenticated user. It then applies the DAP record to the user tunnel or session.
I will explain this in simpler terms using a real-world example.
Scenario
User-1 should only have access to 10.10.10.0/24 and deny all other traffic. User-1 is part of Sales AD group.
User-2 should only have access to 10.10.10.0/24, 10.10.20.0/24 and 10.10.30.0/24. Deny all other traffic. User-2 is part of IT-Admin AD group.
We can achieve this by utilising DAP with LDAP authentication.
Step - 1 Set up Remote Access VPN
ip local pool dap-pool 10.100.100.1-10.100.100.250 mask 255.255.255.0
access-list split-tunnel standard permit 10.0.0.0 255.0.0.0
access-list split-tunnel standard permit 172.16.0.0 255.240.0.0
access-list split-tunnel standard permit 192.168.0.0 255.255.0.0
aaa-server AD-DAP protocol ldap
aaa-server AD-DAP (inside) host 10.10.20.10
ldap-base-dn DC=example,DC=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=VPN,OU=Service Accounts,OU=Company,DC=example,DC=local
server-type microsoft
ldap-attribute-map vpn_map
Step - 2 Set up Dynamic Access Policies
We can think of this as if, then statements. I'm instructing the ASA that if the user is part of "this group" then apply "this ACL"
- Go to Remote Access VPN >> Network (Client) Access >> Dynamic Access Policies within ASDM
You can add AAA attribute by clicking on the "Add" button.
2. Add two policies for both AD-Groups
In the below figure you can see that the config shows if the user is part of "Sales" AD group then apply "SALES-VPN" ACL.
Verification
We can see ASA is getting the AD-group information via LDAP
We can also see below that the correct ACL is applied to User-2
The important thing to remember
Dynamic access policy records are not saved in the running-config file. The records save as an XML file in the flash. Make sure to take regular backs up of this file.
ASA# dir
Directory of disk0:/
26 -rwx 1468 15:12:34 May 12 2020 dap.xml
Reference
Thanks for reading. As always, your feedback and comments are more than welcome.