Filter
Top Products
36-8
Cisco ASDM User Guide
OL-16647-01
Chapter 36 Configuring Dynamic Access Policies
Understanding VPN Access Policies
Step 8 In the Advanced field you can enter one or more logical expressions to set AAA or endpoint attributes
other than what is possible in the AAA and Endpoint areas above.
Step 9 To configure network and webtype ACLs, file browsing, file server entry, HTTP proxy, URL entry, port
forwarding lists and URL lists, set values in the Access Policy Attributes fields.
Fields
• Policy Name—A string of 4 through 32 characters, no spaces allowed.
• Description—(Optional) Describes the purpose of the DAP record. Maximum 80 characters.
• Priority—Sets the priority of the DAP. The security appliance applies access policies in the order
you set here, highest number having the highest priority. Values of 0 to 2147483647 are valid.
Default = 0.
• ANY/ALL/NONE drop-down box—Set to require that user authorization attributes match any, all,
or none of the values in the AAA attributes you are configuring, as well as satisfying every endpoint
attribute. Duplicate entries are not allowed. If you configure a DAP record with no AAA or endpoint
attributes, the security appliance always selects it since all selection criteria are satisfied.
• AAA Attributes—Displays the configured AAA attributes.
–
Attribute—Displays the name of the AAA attribute.
–
Operation/Value—=/!=
–
Add/Edit/Delete —Click to add, edit, or delete the highlighted AAA attribute.
• Endpoint Attributes—Displays the configured endpoint attributes
–
Endpoint ID—Identifies endpoint attributes.
–
Name/Operation/Value—Summarizes configured values for each endpoint attribute.
–
Add/Edit/Delete—Click to add, edit, or delete the highlighted endpoint attribute.
Note Cisco Secure Desktop provides the security appliance with all endpoint attributes except
Application and NAC. To configure all other endpoint attributes, you must first enable Cisco
Secure Desktop, and configure the relevant endpoint attributes there as well.
–
Logical Op.—You can create multiple instances of each type of endpoint attribute. Click to
configure whether the DAP policy should require that the user have all instances of a type
(Match all = AND) or only one of them (Match Any = OR). Be aware that for some endpoint
attributes, for example OS, it can never happen that a user would have more than one instance
of the attribute.
–
Advanced—Click to set additional attributes for the dynamic access policy. Be aware that this
is an advanced feature that requires knowledge of Lua.
–
AND/OR—Click to define the relationship between the basic selection rules and the logical
expressions you enter here, that is, whether the new attributes add to or substitute for the AAA
and endpoint attributes already set. The default is AND.
–
Logical Expressions—You can configure multiple instances of each type of endpoint attribute.
Enter free-form Lua text that defines new AAA and/or endpoint selection attributes. ASDM
does not validate text that you enter here; it just copies this text to the DAP XML file, and the
security appliance processes it, discarding any expressions it cannot parse.
–
Guide—Click to display online help for creating these logical operations.