31-2
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 31 Managing Dynamic Access Policies for Remote Access VPNs (ASA 8.0+ Devices)
Configuring Dynamic Access Policies
DfltAccess Policy—Always the last entry in the DAP summary table, always with a priority of 0.
You can configure Access Policy attributes for the default access policy, but it does not contain—and
you cannot configure—AAA or endpoint attributes. You cannot delete the DfltAccessPolicy, and it
must be the last entry in the summary table.
Tip Dynamic Access policies take precedence over Group policies. If a setting is not specified in a Dynamic
Access policy, an ASA device checks for Group policies that specify the setting.
Integration of Cisco Secure Desktop with DAP
The security appliance integrates the Cisco Secure Desktop (CSD) features into dynamic access policies
(DAPs). Depending on the configuration, the security appliance uses one or more endpoint attribute
values in combination with optional, AAA attribute values as conditions for assigning a DAP. The Cisco
Secure Desktop features supported by the endpoint attributes of DAPs include OS detection, prelogin
policies, Basic Host Scan results, and Endpoint Assessment.
As an administrator, you can specify a single attribute or combine attributes that together form the
conditions required to assign a DAP to a session. The DAP provides network access at the level that is
appropriate for the endpoint AAA attribute value. The security appliance applies a DAP when all of its
configured endpoint criteria are satisfied.
Related Topics
Configuring Dynamic Access Policies, page 31-2
Configuring DAP Attributes, page31-7
Configuring Dynamic Access Policies
This procedure describes how to create or edit a dynamic access policy.
Related Topics
Understanding Dynamic Access Policies, page 31-1
Understanding DAP Attributes, page 31-3
Configuring Cisco Secure Desktop Policies on ASA Devices, page31-8
Step 1 Do one of the following:
(Device view) With an ASA device selected, select Remote Access VPN > Dynamic Access from
the Policy selector.
(Policy view) Select Remote Access VPN > Dynamic Access (ASA) from the Policy Type selector.
Select an existing policy or create a new one.
The Dynamic Access page opens. For a description of the elements on this page, see Dynamic Access
Page (ASA), page 31-10.
Step 2 Click Create or select a policy in the table and click Edit.
The Add/Edit Dynamic Access Policy dialog box opens, with the Main tab open by default. For a
description of the elements in this dialog box, see Table 31-4 on page31-13.
Step 3 Enter the name of the DAP record (up to 128 characters).