Cisco Systems ASA 5510, ASA 5512-X, ASA 5515-X, ASA 5520, ASA 5525-X, ASA 5540, ASA 5545-X, ASA 5550, ASA 5555-X, ASA 5580, ASA 5585-X, ASA 5505 Using DAP to Apply a WebVPN ACL, Enforcing CSD Checks and Applying Policies via DAP

Cisco ASA 5500 Series Configuration Guide using ASDM

Chapter70 Configuring Dynamic Access Policies

Guide to Creating DAP Logical Expressions using LUA

The ASDM path is Configuration > Remote Access VPN > Clientless SSL VPN Access > Dynamic

Access Policies > Add/Edit Dynamic Access Policy > Endpoint

Using DAP to Apply a WebVPN ACL

DAP can directly enforce a subset of access policy attributes including Network ACLs (for IPsec and

AnyConnect), clientless SSL VPN Web-Type ACLs, URL lists, and Functions. It cannot directly

enforce, for example, a banner or the split tunnel list, which the group policy enforces. The Access

Policy Attributes tabs in the Add/Edit Dynamic Access Policy pane provide a complete menu of the

attributes DAP directly enforces.

Active Directory/LDAP stores user group policy membership as the “memberOf” attribute in the user

entry. You can define a DAP such that for a user in AD group (memberOf) = Engineering the ASA

applies a configured Web-Type ACL. To accomplish this task, perform the following steps:

Step1 Navigate to the Add AAA attributes pane (Configuration > Remote Access VPN > Clientless SSL VPN

Access > Dynamic Access Policies > Add/Edit Dynamic Access Policy > AAA Attributes section > Add

AAA Attribute).

Step2 For the AAA Attribute type, use the drop-down menu to choose LDAP.

Step3 In the Attribute ID field, enter memberOf, exactly as you see it here. Case is important.

Step4 In the Value field, use the drop-down menu to choose =, and in the adjacent field enter Engineering.

Step5 In the Access Policy Attributes area of the pane, click the Web-Type ACL Filters tab.

Step6 Use the Web-Type ACL drop-down menu to select the ACL you want to apply to users in the AD group

(memberOf) = Engineering.

Enforcing CSD Checks and Applying Policies via DAP

This example creates a DAP that checks that a user belongs to two specific AD/LDAP groups

(Engineering and Employees) and a specific ASA tunnel group. It then applies an ACL to the user.

The ACLs that DAP applies control access to the resources. They override any ACLS defined the group

policy on the ASA. In addition, the ASA applied the regular AAA group policy inheritance rules and

attributes for those that DAP does not define or control, examples being split tunneling lists, banner, and

DNS. To accomplish this task, perform the following steps.

Table70-4 A Simple DAP Configuration for Network Resources

Attribute Trusted_VPN_Access Untrusted_VPN_Access

Endpoint Attribute Type Policy Trusted Untrusted

Endpoint Attribute Process ieexplore.exe —

Advanced Endpoint Assessment AntiVirus= McAfee Attribute

CSD Location Trusted Untrusted

LDAP memberOf Engineering, Managers Vendors

ACL Web- Type A CL

Access AnyConnect and Web Por tal Web Port al

Contents

Cisco Systems Using DAP to Apply a WebVPN ACL, Enforcing CSD Checks and Applying Policies via DAP