31-40
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 31 Managing Dynamic Access Policies for Remote Access VPNs (ASA 8.0+ Devices)
Dynamic Access Page (ASA)
Cisco Secure Desktop Manager Policy Editor Dialog Box
Using the Cisco Secure Desktop Manager (CSDM) Policy Editor dialog box, you can configure prelogin
policies, specify the checks to be performed between the time the user establishes a connection with the
security appliance and the time the user enters the login credentials, and configure host scans. For an
explanation of configuring CSD on an ASA device, see Configuring Cisco Secure Desktop Policies on
ASA Devices, page 31-8.
Note The Cisco Secure Desktop Manager Policy Editor is an independent program. For information about
configuring CSD, and what CSD can do for you, see the materials available online at
http://www.cisco.com/en/US/products/ps6742/tsd_products_support_configure.html. Look specifically
for information on configuring prelogin policies and host scan. Select the configuration guide for the
CSD version you are configuring.
Navigation Path
Open the Dynamic Access Page (ASA), page 31-10, then click Configure from the Cisco Secure
Desktop section (you must first specify a CSD package). The CSDM Policy Editor dialog box is
displayed.
Relationship Drop-down List Specify the relationship between the basic selection rules and the
logical expressions you enter on this tab, that is, whether the new
attributes add to or substitute for the AAA and endpoint attributes
already set. Select one of the following options:
Basic AND Advanced—Creates an AND relationship between the
basic and advanced expressions. Both the basic and advanced
expressions defined in the dynamic access policy are considered
while authenticating users.
By default, this option is selected.
Basic OR Advanced—Creates an OR relationship between the
basic and advanced expressions. Users are granted access to a
session if either the basic or advanced expressions in the dynamic
access policy are matched with the user policy.
Basic Only—Only the basic expressions defined in the DAP entry
are used to determine whether the security appliance grants users
access to a particular session.
Advanced Only—Only the advanced expressions defined in the
DAP entry are used to authorize users for an SSL VPN session.
Advanced Expressions Enter one or more logical expressions to set AAA or endpoint attributes
other than what is possible in the AAA and Endpoint areas above.
Enter free-form LUA text that defines new AAA and/or endpoint
selection attributes. Security Manager does not validate text that you
enter here; it just copies this text to the dynamic access policy XML
file, and the security appliance processes it, discarding any expressions
it cannot parse.
Table31-22 Add/Edit Dynamic Access Policy Dialog Box > Advanced Expressions Tab (Continued)
Element Description