How to map a dynamic access to a group policy strategy?

Experts,

I'm doing an SSL implementation and a part of the requirement is to have the authentication of users in LDAP, are mapped to a particular group policy. They need this mapping for a particular bookmark assigned to them, because they are strictly using the WEBVPN portal. I have several DAP is configured and I want to map the user that is matched for each DAP, to a particular group policy. I read you can use the LDAP attributes on the user account in AD, but I want to map the DAP "mortgage" in Group Policy "mortgage", as opposed to reading additional AD attributes of the user. Is this possible?

DAP and group policy are two ways to implement access control on the remote access vpn client.

DAP must take precedence over group strategy.

When the responses from the LDAP server for authentication request with the LDAP group member attribute, you can map this attribute of joining a DAP folder or a group policy.

If you want to map the LDAP group member attribute to group policy, you must set the attribute LDAP map. Please see the example below

http://www.Cisco.com/en/us/partner/products/ps6120/products_configuration_example09186a00808d1a7c.shtml

If you want to map the attribute for LDAP group membership in politics of the DAP, you will find the guide in ASDM

Edit-> Advanced-> Guide dynamic access policy.

The below is copied from the guide above.

Example of composition of group

You can create a basic logical expression for the special criteria of belonging to an AD Group. Because users can belong to several groups, DAP analyzes the response from the LDAP server in separate fields in a table. You need an advanced feature to accomplish the following:

  • Compare the memberOf a string field (in which case the user belongs to a group).
  • Iterate over each field returned memberOf if the data returned is of type "table".

The function that we have written and tested for this purpose is shown below. In this example, if a user is a member of a group, ending by "-stu" they correspond to the DAP.

assert(function()

       local pattern = "-stu$"

       local attribute = aaa.ldap.memberOf

       if ((type(attribute) == "string") and

           (string.find(attribute, pattern) ~= nil)) then

           return true

       elseif (type(attribute) == "table") then

           local k, v

           for k, v in pairs(attribute) do

               if (string.find(v, pattern) ~= nil) then

                   return true

               end

           end

       end

       return false

    end)()

Tags: Cisco Security

Similar Questions

  • How to limit maximum SSL VPN sessions by group policy on ASA5510?

    How to limit maximum SSL VPN sessions by group policy on ASA5510?

    There are ideas?

    There are 2-Group Policy: within a maximum of 10 connections, in the second - 15 (total licenses for SSL VPN 25 connections).

    Hi Anton,.

    It is an interesting question.

    Please check the following options, depending on your scenario:

    simultaneous VPN connections

    Pour configurer configure the number of simultaneous connections allowed for a user, use the command simultaneous vpn connections in the configuration of group policy or username configuration mode. To remove the attribute from the running configuration, don't use No form of this command. This option allows inheritance of a value from another group policy. Enter 0 to disable the connection and prevent the access of the user.

    simultaneous vpn connections {integer}

    No vpn - connections

    http://www.Cisco.com/en/us/docs/security/ASA/asa84/command/reference/uz.html#wp1664777

    There is a global command, although may not be useful, I wanted to share it with you:

    VPN-sessiondb max-session-limit

    --> To specify the maximum limit of VPN session.

    Best option:

    What you can do is to create a pool of IP 10 IP addresses in one and 15 in the other, this way you let only 10 connections and 15 respectively.

    IP local pool only_10 192.168.1.1 - 192.168.1.10

    IP local pool only_15 192.168.2.1 - 192.168.1.15

    Then,

    attributes of the strategy of group only_10

    the address value only_10 pools

    !

    attributes of the strategy of group only_20

    the address value only_20 pools

  • How to map a dynamic/computed column in the annotation of persistence?

    I try to use APP to map the results of a query to a class, but one of the columns returned by the query is the result of a subquery - it has no really a column associated with it.

    Example:

    Select a, b, c,.
    case when it exists (select 1 from some_other_table where...) then 'Y' end ' n else as test_flag
    of une_table
    where the...

    This case statement that performs a subquery to produce a result that is not actually mapped to a physical column so I

    How to mark such a situation, so that roll in hibernation, or anything that fills the a property named testFlag when it loads the results of this query?

    Trant says:
    I try to use APP to map the results of a query to a class, but one of the columns returned by the query is the result of a subquery - it has no really a column associated with it.

    Can you share the code? This seems to be the opposite of what JPA or any ORM package is intended; you would usually the ORM package produce SQL statements based on an object model and a query of high level object, but you try here to feed a sort of a pre-existing query object model. As I said - back. You may want to use executeNativeQuery?

    Whenever I am confronted with a situation where a request starts to do involving the unions, subqueries, etc.. I keep the side JPA as stupid as possible. I create a view on the side of the database and that you simply map my entity to this point of view. With appropriate indexing in place which usually performs very well.

  • How can I create dynamic events for a group/list?

    Hey,.
    ATM I'm programming request a bit where I add items to my center pane.

    Simpyfied I got:

    -Center pane: here are the items that appear on right click in the lower pane. This component must serve something like a playground where you can drag and drop and associate items in the bottom pane
    -Low component: here, I got approximately 180 items which are quite equal. It's smth like a menu of items that you can use. I realized the java classes extended from a parent with v.f. dispute class.

    What I want:
    I want to create an event handler for EACH of the items 'menu' dynamically. Just sth like:
        for (int i = 0; i < basic_menu_list.size(); i++)
    {
      final Element el = hbox_bottom.getChildren().get(i);
      hbox_bottom.getChildren().get(i).setOnMouseClicked(new EventHandler<MouseEvent>()
      {

        public void handle(MouseEvent event)
        {
          if (event.isSecondaryButtonDown())
          {
            playground.add(el);
            redrawPlayground();
          }
        }

      });
    }
    But as I expected, it does not work...

    Now my question:
    How can I solve this problem? Y at - it no option to listen to all the elements of a group without hard-coding every single listener?

    Thanks for your help,
    Martin

    Hello user,.

    Why you expected you it wouldn't work?
    You have an example with the 'transition' apply on a bunch of circles in the Getting Started with JavaFx (http://download.oracle.com/javafx/2.0/get_started/jfxpub-get_started.htm)

    Here is a class of the basic example...

    import javafx.application.Application;

import javafx.event.EventHandler;

import javafx.scene.Node;
import javafx.scene.Scene;
import javafx.scene.control.TextBox;
import javafx.scene.input.MouseEvent;
import javafx.scene.layout.Pane;
import javafx.scene.layout.VBox;

import javafx.stage.Stage;

public class HelloWorld extends Application {

    //~ ----------------------------------------------------------------------------------------------------------------
    //~ Methods
    //~ ----------------------------------------------------------------------------------------------------------------

    public static void main(String[] args) {
        // Entry point
        Application.launch(args);
    }

    @Override
    public void start(Stage mainStage) throws Exception {

        Pane pane = new Pane();
        Scene scene = new Scene(pane, 200, 200);

        VBox vBox = new VBox();
        TextBox input1 = new TextBox();
        TextBox input2 = new TextBox();
        vBox.getChildren().addAll(input1, input2);

        for (Node input : vBox.getChildren()) {
            input.setOnMouseClicked(new EventHandler() {
                    public void handle(MouseEvent event) {
                        System.out.println("test click");
                    }
                });
        }

        pane.getChildren().add(vBox);
        mainStage.setScene(scene);
        mainStage.setVisible(true);
    }
}

    Niculaiu

  • How to map a network drive to the Group skydrive

    I'm trying to map a network drive in Windows 7 on a group of Skydrive

    Hello MarkJoneslevrEdge,

    Thanks for the return of the response.  However, I do not show all of the files available from the link above.  You may need to share it, so that others can view.  I have included a link below the support of SkyDrive which I hope will help you.  Also, if you are unable to get this resolved for the link, I would say that your question from the same link below.

    Can I add my SkyDrive as a network location?

    http://windowslivehelp.com/thread.aspx?ThreadId=9e8aefc0-d0a3-43d2-8e1f-2d25537738e7

  • How can I run GPedit.msc to start local Group Policy Editor

    I greye system icons in the task bar, I need difficulty do not know how to run GPedit.msc to start local Group Policy Editor

    What version of Vista you have?  Unless he's professional, Ultimate or Enterprise (maybe), you don't have this ability.

  • How to dynamically access the SQLite result set?

    I want to dynamically access the SQLite result set. Since webworks does not support the "PRAGMA table_info (table_name); I save all newly created information tables in a single two-column table called schema. schema has two columns, table_name, and column_name.

    So I created a function to dynamically access the data in the table. I use the item = results.rows.item (i) and that the data access with item.column line.

    column is a variable that will receive the value of a schema representative of column_name. When I alert (column) I get the column_name is correct, but when I used item.column my results are "not defined".

    any advice on how to solve this issue.

    I managed to solve this issue. The solution is the following: the normal way to access the data of the variable item = results.rows.item (i) is item.column (where the column is the name of the column in the database table. To access the data dynamically, I Specifies a var col1 to assign different values in col1. I then access the data in the database using point [col1] hope that makes sense. If you need a further explanation contact me at [email protected]

  • Question of dynamic access Cisco policy

    I have my cisco ASA pulling active directory. So far I have only deployed vpn without client for intranet access. But iin test I have cisco anyconnect vpn works also from active directory. I would like to give different levels of access to the anyconnect vpn. I've been messing around with dynamic access policies. However, when I create a new policy and map it to the users group in the AD and the access network list, then I click Finish on the dfltaccesspolicy, I can connect is no longer in the clientlessvpn. I gave my DAP policy a priority 2147483647 I read was the highest, but it still does not work. What I am doing wrong?

    Thanks in advance for your help

    Awesome Neal!

    Thanks for sharing about how you solved your problem with others is the idea of this great forum.

    Please mark this message as answered.

    Have a good.

  • How to map an instance record as A Local or network drive in Windows 7?

    How to map an instance record as A Local or network drive in Windows 7?

    Try this list of steps and see if it helps.

    Step 1: Open my computer and click on the button 'map network drive '.
    Step 2: Name the folder and select "connect using different credentials and then click on"connect to a Web site that you can use to store your documents and photos. "
    Step 3 - click on "next".
    Step 4 - Select "Choose a custom network location" and then click "Next".
    Step 5 - Type in 'ftp://yourwebsite.com/' as address network or Internet
    Step 6 - uncheck "Log anonymously" and type your user name for FTP access.
    Step 7: type a name for this location.
    Step 8 - click on finish
    Step 9 - now, when you double-click your new network location, you must open a session. Type the password, uncheck the box "connect anonymously and finally check the backup password, unless you want to enter each time.
    Step 10 - transfer your files of images to the server, as it is a folder on your PC.

  • How to map image an image that is 100% up to 100% width?

    How to map image an image that is 100% up to 100% width?

    I have this image that I need to adapt to 100% on any browser, and I don't know how to make image map because it dones not match selected after loading in the browser area.

    Thank you

    You can not.  Contact information for the access point have not re-scale with the image.   If you use an image map, use the height and width in pixels.  Make it small enough to fit in smaller devices.

    Nancy O.

  • How can I get an access icloud 4-digit code?

    How can I get an access icloud 4-digit code?

    You can reset the code and the keychain in iCloud will be replaced by the Keyring currently on your device.  To do this, follow the instructions under "If you don't have access to another approved... device". "in this article: iCloud: on iCloud cipher messages - alert Apple support.

    Otherwise, you will need to contact Apple support to prove your identity and get help, completion of the configuration of Keychain: http://www.apple.com/support/contact/.

  • How to convert a dynamic disk to a basic?

    How to convert a dynamic disk to a basic? I can't really deleat the C and readers of the system, and if so, how?

    Hi Brad,

    Welcome to Microsoft Community and thank you for the query display.

    According to the description, it seems that you want to convert a dynamic disk to Basic.

    However, we need more information about the issue to help you better.

    Please help me to answer these questions.

    1 how many partitions are on the hard drive?

    2 is installed Windows on drive C?

    3. you have any operating system installed on the hard drive?

    To convert the dynamic disk to basic, here are some steps that you can try.

    You can try to convert the dynamic disk drive basis (except your drive C :) using the Diskpart.exe in the command line. By following these steps, you can avoid reinstalling Windows XP. But if you want all the hard disk as a single partition, then proceed as follows.

    Note: Before formatting the hard drive or perform the steps, back up your data to an external storage device.

    Steps to convert dynamic disk to basic

    a. press Windows key + r on the keyboard and in the immediate window, type cmd.exe

    b. in the command prompt and type D iskpart .

    c. at the Diskpart prompt, type list disk . Note the number of the disk you want to convert to dynamic.

    d. at the Diskpart prompt, type select disk . (select the dynamic disk you want to convert.)

    e. at the Diskpart prompt, type clean to remove all volumes on the disk.

    (f) then, at the Diskpart prompt, type: convert base to begin to restore the disk to basic training.

    Respond us if you have any queries with hard drive problems and we will be happy to help you.

  • How to map my Sky Drive on my XP?

    Hello

    Recently, I tried to figure out how to map my sky player. I watched all the tutorials, but most was with Windows 7 and my Sky Drive address was different. Help, please.

    Hello

    The question you have posted is related to Windows Live and will be well suited in the Windows Live Forum. Click on the link below.

    Windows Live Solution Center

    http://www.windowslivehelp.com/product.aspx?ProductID=6

  • I have an imac with time capsule - I want to save two pc laptos have the network. How to map a network drive?

    How to map a network drive, so I can save my two portable pc on my imac time capsule?
    Thank you

    Hello

    I suggest you to refer to this link and check if it helps:

    http://support.Microsoft.com/kb/308582

    It will be useful.

  • How do disable you dynamic horizontal scrolling "feature"?

    How do disable you dynamic horizontal scrolling "feature"?
    its totally _ me off. Im trying to use a new program of photo manipulation, but can't zoom in and because it scrolls the work area, I need trouble! Ugh! I swear to God _... it's just ridiculous!
    Please someone tell me how to disable this "feature".

    musgoodw, the best advice I can do is just play with the settings of '' mouse. ''  Just type mouse into the start menu.
    By default, a Synaptics touchpad has a vertical scroll box to the right of the touchpad. Some versions of pilot also (default) enable the horizontal scroll down box.
    Both can be changed to enabled, amount of space used, where they are, speed of scrolling and much more in the config of Synaptics.  You would be pleasantly surprised how you can set one up.  ;)

    HTH,
    Chris [If this post can help solve your problem, please click the 'Mark as answer' or 'Useful' at the top of this message.] [Marking a post as answer, or relatively useful, you help others find the answer more quickly.]

Maybe you are looking for