65-18
Cisco ASA 5500 Series Configuration Guide using ASDM
OL-20339-01
Chapter 65 Configuring Dynamic Access Policies
Understanding VPN Access Policies
–
=/!=—Equal to/Not equal to.
• LDAP includes the Get AD Groups button. This button queries the Active Directory LDAP server
for the list of groups the user belong to (memberOf enumerations). It retrieves the AD groups using
the CLI show-ad-groups command in the background
The show ad-groups command applies only to Active Directory servers using LDAP. Use this command
to display AD groups that you can use for dynamic access policy AAA selection criteria.
The default time that the adaptive security appliance waits for a response from the server is 10 seconds.
You can adjust this time using the group-search-timeout command in aaa-server host configuration
mode.
Note If the Active Directory server has a large number of groups, the output of the show ad-groups command
might be truncated based on limitations to the amount of data the server can fit into a response packet.
To avoid this problem, use the filter option to reduce the number of groups reported by the server.
Modes
The following table shows the modes in which this feature is available:
Retrieving Active Directory Groups
Figure 65-5 shows the Retrieve AD Groups from Selected AD Server Group pane.
Figure 65-5 Retrieve AD Groups Dialog Box
Firewall Mode Security Context
Routed Transparent Single
Multiple
Context System
•••——
To Next Page
Loading...
