31-30
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 31 Managing Dynamic Access Policies for Remote Access VPNs (ASA 8.0+ Devices)
Dynamic Access Page (ASA)
Add/Edit DAP Entry Dialog Box > NAC
NAC protects the enterprise network from intrusion and infection from worms, viruses, and rogue
applications by performing endpoint compliancy and vulnerability checks as a condition for production
access to the network. We refer to these checks as posture†validation. You can configure posture
validation to ensure that the anti-virus files, personal firewall rules, or intrusion protection software on
a host with an AnyConnect or Clientless SSL VPN session are up-to-date before providing access to
vulnerable hosts on the intranet. Posture validation can include the verification that the applications
running on the remote hosts are updated with the latest patches. NAC occurs only after user
authentication and the setup of the tunnel. NAC is especially useful for protecting the enterprise network
from hosts that are not subject to automatic network policy enforcement, such as home PCs. The security
appliance uses Extensible Authentication Protocol (EAP) over UDP (E APoUDP) messaging to validate
the posture of remote hosts.
The establishment of a tunnel between the endpoint and the security appliance triggers posture
validation. You can configure the security appliance to pass the IP address of the client to an optional
audit server if the client does not respond to a posture validation request. The audit server, such as a
Trend server, uses the host IP address to challenge the host directly to assess its health. For example, it
may challenge the host to determine whether its virus checking software is active and up-to-date. After
the audit server completes its interaction with the remote host, it passes a token to the posture validation
server, indicating the health of the remote host.
Note Duplicate entries are not allowed. If you configure a dynamic access policy with no AAA or endpoint
attributes, the security appliance always selects it since all selection criteria are satisfied.
Navigation Path
Open the Add/Edit Dynamic Access Policy Dialog Box, page 31-12 with the Main tab selected, then
click Create, or select a dynamic access policy in the table and click Edit. The Add/Edit DAP Entry
dialog box is displayed. Select NAC as the Criterion.
Endpoint ID Select a string that identifies an endpoint for files. Dynamic access
policies use this ID to match Cisco Secure Desktop host scan attributes
for dynamic access policy selection. You must configure Host Scan
before you configure this attribute. When you configure Host Scan, the
configuration displays in this pane, so you can select it, reducing the
possibility of errors in typing or syntax.
Filename Specify the filename.
Last Update Available only if you selected the criteria to match the endpoint
attribute for the dynamic access policy.
Specify the number of days since the last update. You might want to
indicate that an update should occur in less than (<) or more than (>)
the number of days you enter here.
Checksum Available only if you selected the criteria to match the endpoint
attribute for the DAP record.
Select the check box to specify a checksum to authenticate the file, then
enter a checksum in hexadecimal format, beginning with 0x.
Table31-14 Add/Edit DAP Entry Dialog Box > File (Continued)
Element Description