Cisco Systems OL-16647-01 Network Router User Manual

Open as PDF

of 1230

CHAPTER

36-1

Cisco ASDM User Guide

OL-16647-01

Configuring Dynamic Access Policies

This chapater describes how to configure dynamic access policies. It includes the following sections.

• Understanding VPN Access Policies

• Add/Edit Dynamic Access Policies

• Add/Edit AAA Attributes

• Retrieve AD Groups from selected AD Server Group

• Add/Edit Endpoint Attributes

• Operator for Endpoint Category

• DAP Examples

Understanding VPN Access Policies

VPN gateways operate in dynamic environments. Multiple variables can affect each VPN connection,

for example, intranet configurations that frequently change, the various roles each user may inhabit

within an organization, and logins from remote access sites with different configurations and levels of

security. The task of authorizing users is much more complicated in a VPN environment than it is in a

network with a static configuration.

Dynamic access policies (DAP) on the security appliance let you configure authorization that addresses

these many variables. You create a dynamic access policy by setting a collection of access control

attributes that you associate with a specific user tunnel or session. These attributes address issues of

multiple group membership and endpoint security. That is, the security appliance grants access to a

particular user for a particular session based on the policies you define. It generates a DAP at the time

the user connects by selecting and/or aggregating attributes from one or more DAP records. It selects

these DAP records based on the endpoint security information of the remote device and the AAA

authorization information for the authenticated user. It then applies the DAP record to the user tunnel or

session.

The DAP system includes the following components that require your attention:

• DAP Selection Configuration File—A text file containing criteria that the security appliance uses

for selecting and applying DAP records during session establishment. Stored on the security

appliance. You can use ASDM to modify it and upload it to the security appliance in XML data

format. DAP selection configuration files include all of the attributes that you configure. These can

include AAA attributes, endpoint attributes, and access policies as configured in network and

web-type ACL filter, port forwarding and URL lists,

previous next

Top Automotive Device Types

Top Automotive Brands

Top Baby Care Device Types

Top Baby Care Brands

Top Car Audio & Video Device Types

Top Car Audio & Video Brands

Top Cellphone Device Types

Top Cellphone Brands

Top Communications Device Types

Top Communications Brands

Top Computer Device Types

Top Computer Brands

Top Fitness Device Types

Top Fitness Brands

Top Home Audio Device Types

Top Home Audio Brands

Top Household Appliance Device Types

Top Household Appliance Brands

Top Kitchen Appliance Device Types

Top Kitchen Appliance Brands

Top Laundry Appliance Device Types

Top Laundry Appliance Brands

Top Lawn & Garden Device Types

Top Lawn & Garden Brands

Top Marine Equipment Device Types

Top Marine Equipment Brands

Top Musical Instrument Device Types

Top Musical Instrument Brands

Top Outdoor Cooking Device Types

Top Outdoor Cooking Brands

Top Personal Care Device Types

Top Personal Care Brands

Top Photography Device Types

Top Photography Brands

Top Portable Media Device Types

Top Portable Media Brands

Top Power Tools Device Types

Top Power Tools Brands

Top TV and Video Device Types

Top TV and Video Brands

Top Videogame Device Types

Top Videogame Brands

Cisco Systems OL-16647-01 Network Router User Manual