Cisco ASA 5505 Configuration Manual page 1435

Chapter 65 Configuring Dynamic Access Policies
In the Advanced field you can enter one or more logical expressions to set AAA or endpoint attributes
Step 8
other than what is possible in the AAA and Endpoint areas above.
Step 9 To configure network and webtype ACLs, file browsing, file server entry, HTTP proxy, URL entry, port
forwarding lists and URL lists, set values in the Access Policy Attributes fields.
Fields
• Policy Name—A string of 4 through 32 characters, no spaces allowed.
Description—(Optional) Describes the purpose of the DAP record. Maximum 80 characters.
•
Priority—Sets the priority of the DAP. The security appliance applies access policies in the order
•
you set here, highest number having the highest priority. Values of 0 to 2147483647 are valid.
Default = 0.
• ANY/ALL/NONE drop-down list—Set to require that user authorization attributes match any, all,
or none of the values in the AAA attributes you are configuring, as well as satisfying every endpoint
attribute. Duplicate entries are not allowed. If you configure a DAP record with no AAA or endpoint
attributes, the adaptive security appliance always selects it since all selection criteria are satisfied.
AAA Attributes—Displays the configured AAA attributes.
•
–
–
–
Endpoint Attributes—Displays the configured endpoint attributes
•
–
–
–
Note
–
–
–
–
–
OL-20339-01
Attribute—Displays the name of the AAA attribute.
Operation/Value—=/!=
Add/Edit/Delete—Click to add, edit, or delete the highlighted AAA attribute.
Endpoint ID—Identifies endpoint attributes.
Name/Operation/Value—Summarizes configured values for each endpoint attribute.
Add/Edit/Delete—Click to add, edit, or delete the highlighted endpoint attribute.
Cisco Secure Desktop provides the adaptive security appliance with all endpoint attributes
except Application and NAC. To configure all other endpoint attributes, you must first enable
Cisco Secure Desktop, and configure the relevant endpoint attributes there as well.
Logical Op.—You can create multiple instances of each type of endpoint attribute. Click to
configure whether the DAP policy should require that the user have all instances of a type
(Match all = AND) or only one of them (Match Any = OR). Be aware that for some endpoint
attributes, for example OS, it can never happen that a user would have more than one instance
of the attribute.
Advanced—Click to set additional attributes for the dynamic access policy. Be aware that this
is an advanced feature that requires knowledge of Lua.
AND/OR—Click to define the relationship between the basic selection rules and the logical
expressions you enter here, that is, whether the new attributes add to or substitute for the AAA
and endpoint attributes already set. The default is AND.
Logical Expressions—You can configure multiple instances of each type of endpoint attribute.
Enter free-form Lua text that defines new AAA and/or endpoint selection attributes. ASDM
does not validate text that you enter here; it just copies this text to the DAP XML file, and the
adaptive security appliance processes it, discarding any expressions it cannot parse.
Guide—Click to display online help for creating these logical operations.
Understanding VPN Access Policies
Cisco ASA 5500 Series Configuration Guide using ASDM
65-11