36-17
Cisco ASDM User Guide
OL-16647-01
Chapter 36 Configuring Dynamic Access Policies
Understanding VPN Access Policies
Example:
EVAL(endpoint.os.version, “EQ”, “Windows XP”, “string”)
Constructing DAP Logical Expressions
Study these examples for help in creating logical expressions in Lua.
This AAA Lua expression tests for a match on usernames that begin with "b". It uses the string
library and a regular expression:
(string.find(aaa.cisco.username, "^b") ~= nil)
Note The string.find expression does not work with multivalue attributes. See the Group Membership
Example for an example that uses a multivalue attribute.
This endpoint expression tests for a match on CLIENTLESS OR CVC client types:
(EVAL(endpoint.application.clienttype,”EQ”,"CLIENTLESS") or
EVAL(endpoint.application.clienttype, “EQ”,"CVC"))
This endpoint expression tests for Norton Antivirus versions 10.x but excludes 10.5.x:
(EVAL(endpoint.av[“NortonAV”].version, “GE”, "10",”version”) and
(EVAL(endpoint.av[“NortonAV”].version,”LT”, "10.5", “version”) or
EVAL(endpoint.av[“NortonAV”].version, “GE”, "10.6", “version”)))
The DAP CheckAndMsg Function
CheckAndMsg is a Lua function that you can configure DAP to call. It generates a user message based
on a condition.
“EQ” equal
“NE” not equal
“LT” less than
“GT” greater than
“LE” less than or equal
“GE” greater than or equal
<value> A string in quotation marks that contains the value to compare the attribute
against
<type> One of the following strings (quotation marks required)
“string” case-sensitive string comparison
“caseless” case-insensitive string comparison
“integer” number comparison, converts string values to numbers
“hex” number comparison using hexadecimal values, converts hex
string to hex numbers
“version” compares versions of the form X.Y.Z. where X, Y, and Z are
numbers