CHAPTER
70-1
Cisco ASA 5500 Series Configuration Guide using ASDM
70
Configuring Dynamic Access Policies
This chapter describes how to configure dynamic access policies. It includes the following sections.
• Information About Dynamic Access Policies, page 70-1
• Licensing Requirements for Dynamic Access Policies, page 70-3
• Dynamic Access Policies Interface, page 70-8
• Configuring Dynamic Access Policies, page 70-10
• Testing Dynamic Access Policies, page 70-13
• DAP and Authentication, Authorization, and Accounting Services, page 70-14
• Configuring Endpoint Attributes Used in DAPs, page 70-18
• Configuring DAP Access and Authorization Policy Attributes, page 70-32
• Guide to Creating DAP Logical Expressions using LUA, page 70-36
Information About Dynamic Access Policies
VPN gateways operate in dynamic environments. Multiple variables can affect each VPN connection,
for example, intranet configurations that frequently change, the various roles each user may inhabit
within an organization, and logins from remote access sites with different configurations and levels of
security. The task of authorizing users is much more complicated in a VPN environment than it is in a
network with a static configuration.
Dynamic access policies (DAP) on the ASA let you configure authorization that addresses these many
variables. You create a dynamic access policy by setting a collection of access control attributes that you
associate with a specific user tunnel or session. These attributes address issues of multiple group
membership and endpoint security. That is, the ASA grants access to a particular user for a particular
session based on the policies you define. The ASA generates a DAP at the time the user connects by
selecting and/or aggregating attributes from one or more DAP records. It selects these DAP records
based on the endpoint security information of the remote device and the AAA authorization information
for the authenticated user. It then applies the DAP record to the user tunnel or session.
The DAP system includes the following components that require your attention:
• DAP Selection Configuration File—A text file containing criteria that the ASA uses for selecting
and applying DAP records during session establishment. Stored on the ASA. You can use ASDM to
modify it and upload it to the ASA in XML data format. DAP selection configuration files include
all of the attributes that you configure. These can include AAA attributes, endpoint attributes, and
access policies as configured in network and web-type ACL filter, port forwarding and URL lists,