31-7
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter31 Managing Dynamic Access Policies for Remote Access VPNs (ASA 8.0+ Devices)
Configuring Dynamic Access Policies
Examples of DAP Logical Expressions
Study these examples for help in creating logical expressions in LUA.
This AAA LUA expression tests for a match on usernames that begin with "b". It uses the string
library and a regular expression:
not(string.find(aaa.cisco.username, "^b") == nil)
This endpoint expression tests for a match on CLIENTLESS OR CVC client types:
endpoint.application.clienttype=="CLIENTLESS" or endpoint.application.clienttype=="CVC"
This endpoint expression tests for Norton Antivirus versions 10.x but excludes 10.5.x:
(endpoint.av.NortonAV.version > "10" and endpoint.av.NortonAV.version < "10.5") or
endpoint.av.NortonAV.version > "10.6"
DAP Connection Sequence
The following sequence outlines a typical remote access connection establishment.
1. A remote client attempts a VPN connection.
2. The security appliance performs posture assessment, using configured NAC and Cisco Secure
Desktop Host Scan values.
3. The security appliance authenticates the user via AAA. The AAA server also returns authorization
attributes for the user.
4. The security appliance applies AAA authorization attributes to the session, and establishes the VPN
tunnel.
5. The security appliance selects DAP records based on the user AAA authorization information and
the session posture assessment information.
6. The security appliance aggregates DAP attributes from the selected DAP records, and they become
the DAP policy.
7. The security appliance applies the DAP policy to the session.
Related Topics
Configuring Dynamic Access Policies, page 31-2
Understanding Dynamic Access Policies, page 31-1
Configuring DAP Attributes, page31-7
Configuring DAP Attributes
The attributes you must define for a DAP policy include specifying the authorization attributes and
endpoint attributes. You can also configure network and webtype ACLs, file browsing, file server entry,
HTTP proxy, URL entry, port forwarding lists and URL lists.
This procedure describes how to create or edit the AAA and endpoint attributes required for a DAP
policy.
Related Topics
Understanding DAP Attributes, page 31-3
Understanding Dynamic Access Policies, page 31-1
Configuring Dynamic Access Policies, page 31-2