36-20
Cisco ASDM User Guide
OL-16647-01
Chapter 36 Configuring Dynamic Access Policies
Understanding VPN Access Policies
The expected result is that the connection is not allowed and the message appears as a blinking ! point.
Step 5 Click the blinking ! to see the message and links for remediation.
Advanced Lua Functions
When working with dynamic access policies for clientless SSL VPN, you might need additional
flexibility of match criteria. For example, you might want to apply a different DAP based on the
following:
Organizational Unit (OU) or other level of the hierarchy for the user object
Group Name that follows a naming convention but has many possible matches— you might require
the ability to use a wildcard on group names.
You can accomplish this flexibility by creating a Lua logical expression in the Advanced section of the
DAP pane in ASDM.
OU-Based Match
DAP can use many attributes returned from an LDAP server in a logical expression. See the DAP trace
section for example output of this, or run a debug dap trace.
The LDAP server returns the user Distinguished Name (DN). This implicitly identifies where in the
directory the user object is located. For example, if the user DN is CN=Example
User,OU=Admins,dc=cisco,dc=com this user is located in OU=Admins,dc=cisco,dc=com. If all
administrators are in this OU (or any container below this level) you can use a logical expression to
match on this criteria as follows:
(string.find(aaa.ldap.distinguishedName, "OU=Admins,dc=cisco,dc=com$" ~= nil)
In this example, the string.find function allows for a regular expression. Use the $ at the end of the string
to anchor this string to the end of the distinguishedName field.
Group Membership Example
You can create a basic logical expression for pattern matching of AD group membership. Because users
can be members of multiple groups, DAP parses the response from the LDAP server into separate entries
in a table. You need an advanced function to accomplish the following:
Compare the memberOf field as a string (in the event the user belongs to only one group).
Iterate through each returned memberOf field if the returned data is of type "table".
The function we have written and tested for this purpose is shown below. In this example, if a user is a
member of any group ending with "-stu" they match this DAP.
assert(function()
if ((type(aaa.ldap.memberOf) == "string") and
(string.find(aaa.ldap.memberOf, "-stu$") ~= nil)) then
return true
elseif (type(aaa.ldap.memberOf) == "table") then
local k, v
for k, v in pairs(aaa.ldap.memberOf) do
if (string.find(v, "-stu$") ~= nil) then
return true
end
end
end
return false