Cisco Systems OL-16647-01 Network Router User Manual


  Open as PDF
of 1230
 
36-21
Cisco ASDM User Guide
OL-16647-01
Chapter 36 Configuring Dynamic Access Policies
Understanding VPN Access Policies
end)()
Further Information on Lua
You can find detailed LUA programming information at http://www.lua.org/manual/5.1/manual.html.
Operator for Endpoint Category
You can configure multiple instances of each type of endpoint. In this pane, set each type of endpoint to
require only one instance of a type (Match Any = OR) or to have all instances of a type (Match All =
AND).
If you configure only one instance of an endpoint category, you do not need to set a value.
For some endpoint attributes, it makes no sense to configure multiple instances. For example, no
users have more than one running OS.
You are configuring the Match Any/Match All operation within each endpoint type.
The security appliance evaluates each type of endpoint attribute, and then performs a logical AND
operation on all of the configured endpoints. That is, each user must satisfy the conditions of ALL of the
endpoints you configure, as well as the AAA attributes.
DAP Examples
The following sections provide examples of useful dynamic access policies.
Using DAP to Define Network Resources
This example shows how to configure dynamic access policies as a method of defining network
resources for a user or group. The DAP policy named Trusted_VPN_Access permits clientless and
AnyConnect VPN access. The policy named Untrusted_VPN_Access permits only clientless VPN
access. Table 36-4 summarizes the configuration of each of these policies.
The ASDM path is Configuration > Remote Access VPN > Clientless SSL VPN Access > Dynamic
Access Policies > Add/Edit Dynamic Access Policy > Endpoint
Table 36-4 A Simple DAP Configuration for Network Resources
Attribute Trusted_VPN_Access Untrusted_VPN_Access
Endpoint Attribute Type Policy Trusted Untrusted
Endpoint Attribute Process ieexplore.exe
Advanced Endpoint Assessment AntiVirus= McAfee Attribute
CSD Location Trusted Untrusted
LDAP memberOf Engineering, Managers Vendors
ACL Web-Type ACL
Access AnyConnect and Web Portal Web Portal
 previous next