Cisco ASA Dynamic Access Policy

Dynamic access policies (DAP), a new feature introduced in software release 8.0 code of the ASA, enable you to configure authorization that addresses the dynamics of VPN environments. You create a dynamic access policy by setting a collection of access control attributes that you associate with a specific user tunnel or session. These attributes address issues of multiple group membership and endpoint security.

The ASA grants access to a particular user for a particular session based on the policies you define. It generates a DAP during user authentication by selecting and/or aggregating attributes from one or more DAP records. It selects these DAP records based on the endpoint security information of the remote device and/or AAA authorization information for the authenticated user. It then applies the DAP record to the user tunnel or session.

I will explain this in simpler terms using a real-world example.

Scenario

User-1 should only have access to 10.10.10.0/24  and deny all other traffic. User-1 is part of Sales AD group.

access-list SALES-VPN extended permit ip 10.100.100.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list SALES-VPN extended deny ip any any
sales acl

User-2 should only have access to 10.10.10.0/24, 10.10.20.0/24 and 10.10.30.0/24.  Deny all other traffic. User-2 is part of IT-Admin AD group.

access-list IT-VPN extended permit ip 10.100.100.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list IT-VPN extended permit ip 10.100.100.0 255.255.255.0 10.10.20.0 255.255.255.0
access-list IT-VPN extended permit ip 10.100.100.0 255.255.255.0 10.10.30.0 255.255.255.0
access-list IT-VPN extended deny ip any any
it admin acl

We can achieve this by utilising DAP with LDAP authentication.

Step - 1  Set up Remote Access VPN

ip local pool dap-pool 10.100.100.1-10.100.100.250 mask 255.255.255.0

access-list split-tunnel standard permit 10.0.0.0 255.0.0.0 
access-list split-tunnel standard permit 172.16.0.0 255.240.0.0 
access-list split-tunnel standard permit 192.168.0.0 255.255.0.0

aaa-server AD-DAP protocol ldap
aaa-server AD-DAP (inside) host 10.10.20.10
 ldap-base-dn DC=example,DC=local
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *****
 ldap-login-dn CN=VPN,OU=Service Accounts,OU=Company,DC=example,DC=local
 server-type microsoft
 ldap-attribute-map vpn_map
webvpn
 enable OUTSIDE
 anyconnect-essentials
 anyconnect image disk0:/anyconnect-win-4.5.04029-webdeploy-k9.pkg 1
 anyconnect image disk0:/anyconnect-linux64-4.5.04029-webdeploy-k9.pkg 5
 anyconnect image disk0:/anyconnect-macos-4.5.04029-webdeploy-k9.pkg 6
 anyconnect enable
 tunnel-group-list enable
 cache
  disable
 error-recovery disable
webvpn
group-policy VPN-GRP attributes
 dns-server value 10.10.10.15 
 vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client 
 split-tunnel-network-list value split-tunnel
 default-domain value example.com
group policy
tunnel-group vpn-dap type remote-access
tunnel-group vpn-dap general-attributes
 address-pool dap-pool
 authentication-server-group AD-DAP
tunnel-group vpn-dap webvpn-attributes
 group-alias VPN enable
tunnel-group

Step - 2  Set up Dynamic Access Policies

We can think of this as if, then statements. I'm instructing the ASA that if the user is part of "this group" then apply "this ACL"

  1. Go to Remote Access VPN >> Network (Client) Access >> Dynamic Access Policies within ASDM
dap asdm

You can add AAA attribute by clicking on the "Add" button.

2. Add two policies for both AD-Groups

In the below figure you can see that the config shows if the user is part of "Sales" AD group then apply "SALES-VPN" ACL.

sales dap

Verification

We can see ASA is getting the AD-group information via LDAP

ASA# debug dap trace 
debug dap trace enabled at level 1

ASA# DAP_TRACE: DAP_open: New DAP Request: BD
DAP_TRACE: Username: User-2, DAP_add_SCEP: scep required = [FALSE]
DAP_TRACE: Username: User-2, DAP_add_AC:
endpoint.anyconnect.clientversion = "4.8.03538";

DAP_TRACE: aaa["ldap"]["memberOf"]["1"] = "IT-Admin"
group info

We can also see below that the correct ACL is applied to User-2

ASA# show vpn-sessiondb detail anyconnect filter name User-2 | incl IT-VPN

  Filter Name  : IT-VPN
correct acl

The important thing to remember

Dynamic access policy records are not saved in the running-config file. The records save as an XML file in the flash. Make sure to take regular backs up of this file.

ASA# dir

Directory of disk0:/

26     -rwx  1468         15:12:34 May 12 2020  dap.xml

Reference

ASA 8.x Dynamic Access Policies (DAP) Deployment Guide
This document describes dynamic access polices (DAP) deployment for ASA 8.x.

Thanks for reading. As always, your feedback and comments are more than welcome.