31-20
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 31 Managing Dynamic Access Policies for Remote Access VPNs (ASA 8.0+ Devices)
Dynamic Access Page (ASA)
Device—Creates an endpoint attribute of type Device. The Device Criterion lets you provide
specific device information for use during the associated prelogin policy checking. See Add/Edit
DAP Entry Dialog Box > Device, page31-28.
File—Creates an endpoint attribute of type File. Filename checking to be performed by Basic Host
Scan must be explicitly configured using Cisco Secure Desktop Manager. See Add/Edit DAP Entry
Dialog Box > File, page 31-29.
NAC—Creates an endpoint attribute of type NAC. NAC protects the enterprise network from
intrusion and infection from worms, viruses, and rogue applications by performing endpoint
compliancy. We refer to these checks as posture†validation. See Add/Edit DAP Entry Dialog Box >
NAC, page 31-30.
Operating System—Creates an endpoint attribute of type Operating System. The prelogin
assessment module of the CSD can check the remote device for the OS version, IP address, and
Microsoft Windows registry keys. See Add/Edit DAP Entry Dialog Box > Operating System,
page 31-31.
Personal Firewall—Creates an endpoint attribute of type Personal Firewall. You can use the Host
Scan modules of Cisco Secure Desktop to scan for personal firewall applications and updates that
are running on the remote computer. For a description of the elements in the dialog box, see
Add/Edit DAP Entry Dialog Box > Personal Firewall, page31-32.
Policy—Creates an endpoint attribute of type Policy. See Add/Edit DAP Entry Dialog Box > Policy,
page 31-33.
Process—Process name checking to be performed by Basic Host Scan must be explicitly configured
using Cisco Secure Desktop Manager. See Add/Edit DAP Entry Dialog Box > Process, page 31-34.
Registry—Creates an endpoint attribute of type Registry. Registry key scans apply only to
computers running Windows Microsoft Windows operating systems. See Add/Edit DAP Entry
Dialog Box > Registry, page31-35.
Note Duplicate entries are not allowed. If you configure a dynamic access policy with no AAA or endpoint
attributes, the security appliance always selects it since all selection criteria are satisfied.
Navigation Path
Open the Add/Edit Dynamic Access Policy Dialog Box, page 31-12 with the Main tab selected, then
click Create, or select a dynamic access policy in the table and click Edit. The Add/Edit DAP Entry
dialog box is displayed.
Related Topics
Understanding DAP Attributes, page 31-3
Configuring DAP Attributes, page31-7
Configuring Dynamic Access Policies, page 31-2
Add/Edit DAP Entry Dialog Box > AAA Attributes Cisco
To configure AAA attributes as selection criteria for dynamic access policies, in the Add/Edit DAP Entry
dialog box, set AAA Attributes Cisco as the selection criterion to be used to select and apply the dynamic
access policies during session establishment. You can set these attributes either to match or not match
the value you enter. There is no limit for the number of AAA attributes for each dynamic access policy.