Filter
Top Products
36-6
Cisco ASDM User Guide
OL-16647-01
Chapter 36 Configuring Dynamic Access Policies
Understanding VPN Access Policies
DAP and Anti-Virus, Anti-Spyware, and Personal Firewall Programs
The security appliance uses a DAP policy when the user attributes matches the configured AAA and
endpoint attributes. The Prelogin Assessment and Host Scan modules of Cisco Secure Desktop return
information to the security appliance about the configured endpoint attributes, and the DAP subsystem
uses that information to select a DAP record that matches the values of those attributes.
Most, but not all, anti-virus, anti-spyware, and personal firewall programs support active scan, which
means that the programs are memory-resident, and therefore always running. Host Scan checks to see if
an endpoint has a program installed, and if it is memory-resident as follows:
• If the installed program does not support active scan, Host Scan reports the presence of the software.
The DAP system selects DAP records that specify the program.
• If the installed program does support active scan, and active scan is enabled for the program, Host
Scan reports the presence of the software. Again the security appliance selects DAP records that
specify the program.
• If the installed program does support active scan and active scan is disabled for the program, Host
Scan ignores the presence of the software. The security appliance does not select DAP records that
specify the program. Further, the output of the debug trace command, which includes a lot of
information about DAP, does not indicate the program presence, even though it is installed.
DAP Connection Sequence
The following sequence outlines a typical remote access connection establishment.
1. A remote client attempts a VPN connection.
2. The security appliance performs posture assessment, using configured NAC and Cisco Secure
Desktop Host Scan values.
3. The security appliance authenticates the user via AAA. The AAA server also returns authorization
attributes for the user.
4. The security appliance applies AAA authorization attributes to the session, and establishes the VPN
tunnel.
5. The security appliance selects DAP records based on the user AAA authorization information and
the session posture assessment information.
6. The security appliance aggregates DAP attributes from the selected DAP records, and they become
the DAP policy.
7. The security appliance applies the DAP policy to the session.
Test Dynamic Access Policies
This pane lets you test the retrieval of the set of DAP records configured on the device by specifying
authorization attribute value pairs. To specify these pairs, use the Add/Edit buttons associated with the
AAA Attribute and Endpoint Attribute tables. The dialogs that display when you click these Add/Edit
buttons are similar to those in the Add/Edit AAA Attributes and Add/Edit Endpoint Attributes dialog
boxes.
When you enter attribute value pairs and click the “Test” button, the DAP subsystem on the device
references these values when evaluating the AAA and endpoint selection attributes for each record. The
results display in the “Test Results” text area.