Thursday, May 29, 2008

Cisco ASA and DAP

OK, for those of you who play with the Cisco ASA product you might have heard of DAP (Dynamic Access Policies). DAP is used to build policy rules on the fly to provide a customer user experience for VPN sessions (SSLVPN and Clientless or webportal VPN in particular) and is something that has been needed for awhile to compete with the Juniper Neoteris product. DAP has some issues with configuration and setup that can be a challenge, the primary challenge being the Microsoft AD integration.
It turns out that trying to figure out the Login DN parameters can be difficult and also the format for the LDAP attributes. I recommend using LDP to help you figure out the LDAP attributes you can match on and also as a useful tool to walk the LDAP structure of AD. The other missing information is that the testing tool does NOT test against the LDAP authentication server to see if the parameters you are providing actually exist. All it does is TRUST what you are providing as the if that was supplied back from the LDAP server and uses that to test your DAP policy. So you can happily test away thinking your DAP policy will work when it will fail because you are using the wrong LDAP attribut to match in the first place! Very frustrating.
Key commands to know:
debug dap trace
debug ldap 255

Also, for some reason the ASDM DAP testing tool puts commands in the ASA that are cumilative and you have to remove them via the command line. So if you do use the DAP testing tool remember to go in and remove the old parameters you gave it. Otherwise you will have a list a mile long and all of them will be getting checked even though you might only have one or two in the ASDM GUI window.
Oh, and make sure you are running, that fixes a SSH issue on the platform that is pretty important.
- Ed

1 comment:

chicago colocation said...
This comment has been removed by a blog administrator.