Dynamic access policies (DAP), a new feature introduced in software release 8.0 code of the ASA, enable you to configure authorization that addresses the dynamics of VPN environments. You create a dynamic access policy by setting a collection of access control attributes that you associate with a specific user tunnel or session. These attributes address issues of multiple group membership and endpoint security.
The ASA grants access to a particular user for a particular session based on the policies you define. It generates a DAP during user authentication by selecting and/or aggregating attributes from one or more DAP records. It selects these DAP records based on the endpoint security information of the remote device and/or AAA authorization information for the authenticated user. It then applies the DAP record to the user tunnel or session.
I will explain this in simpler terms using a real world example.
User-1 should only have access to 10.10.10.0/24 and deny all other traffic. User-1 is part of Sales AD group.
User-2 should only have access to 10.10.10.0/24, 10.10.20.0/24 and 10.10.30.0/24. Deny all other traffic. User-2 is part of IT-Admin AD group.
We can achieve this by utilising DAP with LDAP authentication.
Step - 1 Set up Remote Access VPN
ip local pool dap-pool 10.100.100.1-10.100.100.250 mask 255.255.255.0 access-list split-tunnel standard permit 10.0.0.0 255.0.0.0 access-list split-tunnel standard permit 172.16.0.0 255.240.0.0 access-list split-tunnel standard permit 192.168.0.0 255.255.0.0 aaa-server AD-DAP protocol ldap aaa-server AD-DAP (inside) host 10.10.20.10 ldap-base-dn DC=example,DC=local ldap-scope subtree ldap-naming-attribute sAMAccountName ldap-login-password ***** ldap-login-dn CN=VPN,OU=Service Accounts,OU=Company,DC=example,DC=local server-type microsoft ldap-attribute-map vpn_map
Step - 2 Set up Dynamic Access Policies
We can think of this as if, then statements. I'm instructing the ASA that if the user is part of "this group" then apply "this ACL"
In the below figure you can see that the the config shows, if the user is part of "Sales" AD group then apply "SALES-VPN" ACL.
- Go to Remote Access VPN >> Network (Client) Access >> Dynamic Access Policies within ASDM
You can add AAA attribute by clicking on the "Add" button.
2. Add two policies for both AD-Groups
We can see ASA is getting the AD-group information via LDAP
We can also see below that the correct ACL is applied to User-2
Important thing to remember
Dynamic access policy records are not saved in the running config file. The records save as a XML file in the flash. Make sure to take regular backs up of this file.
ASA# dir Directory of disk0:/ 26 -rwx 1468 15:12:34 May 12 2020 dap.xml
Thanks for reading
As always, your feedback and comments are more than welcome.