31-22
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 31 Managing Dynamic Access Policies for Remote Access VPNs (ASA 8.0+ Devices)
Dynamic Access Page (ASA)
Add/Edit DAP Entry Dialog Box > AAA Attributes LDAP
The LDAP client stores all native LDAP response attribute value pairs in a database associated with the
AAA session for the user. The LDAP client writes the response attributes to the database in the order in
which it receives them. It discards all subsequent attributes with that name. This scenario might occur
when a user record and a group record are both read from the LDAP server. The user record attributes
are read first, and always have priority over group record attributes.
To support Active Directory group membership, the AAA LDAP client provides special handling of the
LDAP memberOf response attribute. The AD memberOf attribute specifies the DN string of a group
record in AD. The name of the group is the first CN value in the DN string. The LDAP client extracts
the group name from the DN string and stores it as the AAA memberOf attribute, and in the response
attribute database as the LDAP memberOf attribute. If there are additional memberOf attributes in the
LDAP response message, then the group name is extracted from those attributes and is combined with
the earlier AAA memberOf attribute to form a comma separated string of group names, also updated in
the response attribute database.
Note Duplicate entries are not allowed. If you configure a dynamic access policy with no AAA or endpoint
attributes, the security appliance always selects it since all selection criteria are satisfied.
Navigation Path
Open the Add/Edit Dynamic Access Policy Dialog Box, page 31-12 with the Main tab selected, then
click Create, or select a dynamic access policy in the table and click Edit. The Add/Edit DAP Entry
dialog box is displayed. Select AAA Attributes LDAP as the Criterion.
Related Topics
Understanding DAP Attributes, page 31-3
Configuring DAP Attributes, page31-7
Configuring Dynamic Access Policies, page 31-2
Connection Profiles Select the check box, select the matching criteria (for example, is) from
the drop-down list, and select the connection profile from a list of all
the SSL VPN Connection Profile policies defined on the security
appliance.
An SSL VPN connection profile comprises a set of records that contain
VPN tunnel connection profile policies, including the attributes that
pertain to creating the tunnel itself.
Note For a description of the procedure to configure an SSL VPN
Connection Profiles policy, see Configuring Connection
Profiles (ASA, PIX 7.0+), page 30-6.
Table31-6 Add/Edit DAP Entry Dialog Box > AAA Attributes Cisco (Continued)
Element Description