Cisco ASA Dynamic Access Policy

In: Cisco, Firewall

Dynamic access policies (DAP), a new feature introduced in software release 8.0 code of the ASA, enable you to configure authorization that addresses the dynamics of VPN environments. You create a dynamic access policy by setting a collection of access control attributes that you associate with a specific user tunnel or session. These attributes address issues of multiple group membership and endpoint security.

The ASA grants access to a particular user for a particular session based on the policies you define. It generates a DAP during user authentication by selecting and/or aggregating attributes from one or more DAP records. It selects these DAP records based on the endpoint security information of the remote device and/or AAA authorization information for the authenticated user. It then applies the DAP record to the user tunnel or session.

I will explain this in simpler terms using a real-world example.


User-1 should only have access to  and deny all other traffic. User-1 is part of Sales AD group.

access-list SALES-VPN extended permit ip
access-list SALES-VPN extended deny ip any any
sales acl

User-2 should only have access to, and  Deny all other traffic. User-2 is part of IT-Admin AD group.

access-list IT-VPN extended permit ip
access-list IT-VPN extended permit ip
access-list IT-VPN extended permit ip
access-list IT-VPN extended deny ip any any
it admin acl

We can achieve this by utilising DAP with LDAP authentication.

Step - 1  Set up Remote Access VPN

ip local pool dap-pool mask

access-list split-tunnel standard permit 
access-list split-tunnel standard permit 
access-list split-tunnel standard permit

aaa-server AD-DAP protocol ldap
aaa-server AD-DAP (inside) host
 ldap-base-dn DC=example,DC=local
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *****
 ldap-login-dn CN=VPN,OU=Service Accounts,OU=Company,DC=example,DC=local
 server-type microsoft
 ldap-attribute-map vpn_map
 enable OUTSIDE
 anyconnect image disk0:/anyconnect-win-4.5.04029-webdeploy-k9.pkg 1
 anyconnect image disk0:/anyconnect-linux64-4.5.04029-webdeploy-k9.pkg 5
 anyconnect image disk0:/anyconnect-macos-4.5.04029-webdeploy-k9.pkg 6
 anyconnect enable
 tunnel-group-list enable
 error-recovery disable
group-policy VPN-GRP attributes
 dns-server value 
 vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client 
 split-tunnel-network-list value split-tunnel
 default-domain value
group policy
tunnel-group vpn-dap type remote-access
tunnel-group vpn-dap general-attributes
 address-pool dap-pool
 authentication-server-group AD-DAP
tunnel-group vpn-dap webvpn-attributes
 group-alias VPN enable

Step - 2  Set up Dynamic Access Policies

We can think of this as if, then statements. I'm instructing the ASA that if the user is part of "this group" then apply "this ACL"

  1. Go to Remote Access VPN >> Network (Client) Access >> Dynamic Access Policies within ASDM
dap asdm

You can add AAA attribute by clicking on the "Add" button.

2. Add two policies for both AD-Groups

In the below figure you can see that the config shows if the user is part of "Sales" AD group then apply "SALES-VPN" ACL.

sales dap


We can see ASA is getting the AD-group information via LDAP

ASA# debug dap trace 
debug dap trace enabled at level 1

ASA# DAP_TRACE: DAP_open: New DAP Request: BD
DAP_TRACE: Username: User-2, DAP_add_SCEP: scep required = [FALSE]
DAP_TRACE: Username: User-2, DAP_add_AC:
endpoint.anyconnect.clientversion = "4.8.03538";

DAP_TRACE: aaa["ldap"]["memberOf"]["1"] = "IT-Admin"
group info

We can also see below that the correct ACL is applied to User-2

ASA# show vpn-sessiondb detail anyconnect filter name User-2 | incl IT-VPN

  Filter Name  : IT-VPN
correct acl

The important thing to remember

Dynamic access policy records are not saved in the running-config file. The records save as an XML file in the flash. Make sure to take regular backs up of this file.

ASA# dir

Directory of disk0:/

26     -rwx  1468         15:12:34 May 12 2020  dap.xml


ASA 8.x Dynamic Access Policies (DAP) Deployment Guide
This document describes dynamic access polices (DAP) deployment for ASA 8.x.

Thanks for reading. As always, your feedback and comments are more than welcome.

Written by
Suresh Vina
Tech enthusiast sharing Networking, Cloud & Automation insights. Join me in a welcoming space to learn & grow with simplicity and practicality.
More from Packetswitch
Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to Packetswitch.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.