Cisco ASA 5505 Configuration Manual page 1425
Asa 5500 series
Hide thumbs
Also See for ASA 5505:
- Getting started manual (168 pages) ,
- Administrator's manual (118 pages) ,
- Hardware installation manual (82 pages)
Table of Contents
Advertisement
Configuring Dynamic Access Policies
This chapter describes how to configure dynamic access policies. It includes the following sections.
•
•
•
•
•
•
•
Understanding VPN Access Policies
VPN gateways operate in dynamic environments. Multiple variables can affect each VPN connection,
for example, intranet configurations that frequently change, the various roles each user may inhabit
within an organization, and logins from remote access sites with different configurations and levels of
security. The task of authorizing users is much more complicated in a VPN environment than it is in a
network with a static configuration.
Dynamic access policies (DAP) on the adaptive security appliance let you configure authorization that
addresses these many variables. You create a dynamic access policy by setting a collection of access
control attributes that you associate with a specific user tunnel or session. These attributes address issues
of multiple group membership and endpoint security. That is, the adaptive security appliance grants
access to a particular user for a particular session based on the policies you define. It generates a DAP
at the time the user connects by selecting and/or aggregating attributes from one or more DAP records.
It selects these DAP records based on the endpoint security information of the remote device and the
AAA authorization information for the authenticated user. It then applies the DAP record to the user
tunnel or session.
The DAP system includes the following components that require your attention:
•
OL-20339-01
Understanding VPN Access Policies
Add/Edit Dynamic Access Policies
Add/Edit AAA Attributes
Retrieving Active Directory Groups
Add/Edit Endpoint Attributes
Operator for Endpoint Category
DAP Examples
DAP Selection Configuration File—A text file containing criteria that the adaptive security
appliance uses for selecting and applying DAP records during session establishment. Stored on the
adaptive security appliance. You can use ASDM to modify it and upload it to the adaptive security
appliance in XML data format. DAP selection configuration files include all of the attributes that
you configure. These can include AAA attributes, endpoint attributes, and access policies as
configured in network and web-type ACL filter, port forwarding and URL lists,
C H A P T E R
Cisco ASA 5500 Series Configuration Guide using ASDM
65
65-1
- Quick Links:
- Starting Asdm
- Downloading the Asdm Launcher
Hide quick links:
Advertisement
Chapters
Table of Contents
