Cisco Systems ASA 5510, ASA 5512-X, ASA 5515-X, ASA 5520, ASA 5525-X, ASA 5540, ASA 5545-X, ASA 5550, ASA 5555-X, ASA 5580, ASA 5585-X, ASA 5505 CheckAndMsg with Custom Function Example, Further Information on Lua, Operator for Endpoint Category, DAP Examples

70-43

Cisco ASA 5500 Series Configuration Guide using ASDM

Chapter70 Configuring Dynamic Access Policies

Guide to Creating DAP Logical Expressions using LUA

CheckAndMsg with Custom Function Example

You can use the following function to deny access in the absence of an antivirus program. Use it with a

DAP that has Action set to terminate.

assert( function()

for k,v in pairs(endpoint.av) do

if (EVAL(v.exists, "EQ”, "true", "string")) then

return false

end

return CheckAndMsg(true, "Please install antivirus software before connecting.", nil)

end)()

If a user lacking an antivirus program attempts to log in, DAP displays the following message:

Please install antivirus software before connecting.

Further Information on Lua

You can find detailed LUA programming information at http://www.lua.org/manual/5.1/manual.html.

Operator for Endpoint Category

You can configure multiple instances of each type of endpoint. In this pane, set each type of endpoint to

require only one instance of a type (Match Any = OR) or to have all instances of a type (Match All =

AND).

•If you configure only one instance of an endpoint category, you do not need to set a value.

•For some endpoint attributes, it makes no sense to configure multiple instances. For example, no

users have more than one running OS.

•You are configuring the Match Any/Match All operation within each endpoint type.

The security appliance evaluates each type of endpoint attribute, and then performs a logical AND

operation on all of the configured endpoints. That is, each user must satisfy the conditions of ALL of the

endpoints you configure, as well as the AAA attributes.

DAP Examples

The following sections provide examples of useful dynamic access policies.

•Using DAP to Define Network Resources

•Using DAP to Apply a WebVPN ACL

•Enforcing CSD Checks and Applying Policies via DAP

This example shows how to configure dynamic access policies as a method of defining network

resources for a user or group. The DAP policy named Trusted_VPN_Access permits clientless and

AnyConnect VPN access. The policy named Untrusted_VPN_Access permits only clientless VPN

access. Table70-4 summarizes the configuration of each of these policies.

Cisco Systems CheckAndMsg with Custom Function Example, Further Information on Lua, Operator for Endpoint Category, DAP Examples