Cisco Systems ASA 5510, ASA 5512-X, ASA 5515-X, ASA 5520, ASA 5525-X, ASA 5540, ASA 5545-X, ASA 5550, ASA 5555-X, ASA 5580, ASA 5585-X, ASA 5505 Adding a NAC Endpoint Attribute to a DAP

70-24

Cisco ASA 5500 Series Configuration Guide using ASDM

Chapter70 Configuring Dynamic Access Policies

Configuring Endpoint Attributes Used in DAPs

Guidelines

You can create multiple instances of each type of endpoint attribute. For each of these types, you need

to decide whether the DAP policy should require that the user have all instances of a type (Match all =

AND) or only one of them (Match Any = OR).

To set this value, after you have defined all instances of the endpoint attribute, click the Logical Op.

button and select the Match Any or Match All button. If you do not specify a Logical Operation, Match

Any is used by default.

Detailed Steps

Step1 In the Endpoint Attribute Type list box, select Device.

Step2 Check the Host Name checkbox and set the operation field to be equal to (=) or not equal to (!=) the host

name of the device you are testing for. Use the computer’s host name only, not the fully qualified domain

name (FQDN).

Step3 Check the MAC address checkbox and set the operation field to be equal to (=) or not equal to (!=) the

MAC address of the network interface card you are testing for. Only one MAC address per entry. The

address must be in the format xxxx.xxxx.xxxx where x is a hexadecimal character.

Step4 Check the BIOS Serial Number checkbox and set the operation field to be equal to (=) or not equal to

(!=) the BIOS serial number value of the device you are testing for. The number format is

manufacturer-specific. There is no format requirement.

Step5 Check the Port Number checkbox and set the operation field to be equal to (=) or not equal to (!=) the

TCP port in listening state you are testing for. You can define a single port per line.

Step6 Check the Privacy Protection checkbox and set the operation field to be equal to (=) or not equal to (!=)

the component CSD uses to execute the PreLogin Policy.

Step7 Check the Version of Secure Desktop (CSD) checkbox and set the operation field to be equal to (=) or

not equal to (!=) the version of the Host Scan image running on the endpoint.

Step8 Check the Version of Endpoint Assessment checkbox and set the operation field to be equal to (=) or

not equal to (!=) the version of endpoint assessment (OPSWAT) you are testing for.

Step9 Click OK.

Step10 Return to Configuring Dynamic Access Policies, page 70-10.

Additional References

See Endpoint Attribute Definitions, page 70-29 for additional information on the Device endpoint

attribute requirements.

Adding a NAC Endpoint Attribute to a DAP

Prerequisites

Configuring NAC endpoint attributes as selection criteria for DAP records is part of a larger process.

Read Configuring Dynamic Access Policies, page 70-10 before you configure NAC endpoint attributes.

Cisco Systems Adding a NAC Endpoint Attribute to a DAP