Cisco Systems ASA 5540 Network Router User Manual


  Open as PDF
of 2086
 
70-12
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter 70 Configuring Dynamic Access Policies
Configuring Dynamic Access Policies
You can create multiple instances of each type of endpoint attribute. For each of these types, you need
to decide whether the DAP policy should require that the user have all instances of a type (Match all =
AND) or only one of them (Match Any = OR). To set this value for each of the end point attributes, click
the Logical Op. button.
Step 9 In the Advanced field you can enter one or more logical expressions to set AAA or endpoint attributes
other than what is possible in the AAA and Endpoint areas above. This feature that requires knowledge
of the Lua programming language.
AND/OR—Click to define the relationship between the basic selection rules and the logical
expressions you enter here, that is, whether the new attributes add to or substitute for the AAA and
endpoint attributes already set. The default is AND.
Logical Expressions—You can configure multiple instances of each type of endpoint attribute. Enter
free-form Lua text that defines new AAA and/or endpoint selection attributes. ASDM does not
validate text that you enter here; it just copies this text to the DAP XML file, and the ASA processes
it, discarding any expressions it cannot parse.
Guide—Click to display online help for creating these logical operations or see Guide to Creating
DAP Logical Expressions using LUA, page 70-36.
Step 10 To configure network and webtype ACLs, file browsing, file server entry, HTTP proxy, URL entry, port
forwarding lists and URL lists, set values in the Access Policy Attributes fields. Attribute values that
you configure here override authorization values in the AAA system, including those in existing user,
group, tunnel group, and default group records. See Configuring DAP Access and Authorization Policy
Attributes, page 70-32 for more information.
Step 11 Click OK.
Tip If you want to test your Dynamic Access Policy, in the Configure Dynamic Access Policies dialog box,
click Test Dynamic Access Policies and add the attributes to the test interface. See Testing Dynamic
Access Policies, page 70-13.