CHAP TER
31-1
User Guide for Cisco Security Manager 4.4
OL-28826-01
31
Managing Dynamic Access Policies for Remote Access VPNs (ASA 8.0+ Devices)
This chapter explains Dynamic Access Policies (DAP) for assigning remote access users to connection
profiles (tunnel groups). You can configure these policies for remote access IKEv1 IPsec on ASA 8.0+
devices, IKEv2 IPsec on ASA 8.4(x) devices, and SSL VPNs on ASA 8.0+ (except 8.5) devices.
For information on configuring other remote access policies for ASA and PIX 7.0+ devices, see
Chapter 30, “Managing Remote Access VPNs on ASA and PIX 7.0+ Devices”.
This chapter contains the following topics:
Understanding Dynamic Access Policies, page 31-1
Configuring Dynamic Access Policies, page 31-2
Dynamic Access Page (ASA), page 31-10

Understanding Dynamic Access Policies

Multiple variables can affect each VPN connection, for example, intranet configurations that frequently
change, the various roles each user may inhabit within an organization, and logins from remote access
sites with different configurations and levels of security. The task of authorizing users is much more
complicated in a VPN environment than it is in a network with a static configuration.
Dynamic access policies (DAP) on a security appliance let you configure authorization that addresses
these many variables. You create a dynamic access policy by setting a collection of access control
attributes that you associate with a specific user tunnel or session. These attributes address issues of
multiple group membership and endpoint security. That is, the security appliance grants access to a
particular user for a particular session based on the policies you define. It generates a DAP at the time
the user connects by selecting and/or aggregating attributes from one or more DAP records. It selects
these DAP records based on the endpoint security information of the remote device and the AAA
authorization information for the authenticated user. It then applies the DAP record to the user tunnel or
session. The DAP system includes the following components that require your attention:
DAP Selection Configuration File—A text file containing criteria that the security appliance uses
for selecting and applying DAP records during session establishment. It is stored on the security
appliance. You can use Security Manager to modify it and upload it to the security appliance in XML
data format. DAP selection configuration files include all of the attributes that you configure. These
can include AAA attributes, endpoint attributes, and access policies as configured in network and
web-type ACL filter, port forwarding, and URL lists.