Cisco ASA 5505 Configuration Manual page 1453

Chapter 65 Configuring Dynamic Access Policies
Using DAP to Define Network Resources
This example shows how to configure dynamic access policies as a method of defining network
resources for a user or group. The DAP policy named Trusted_VPN_Access permits clientless and
AnyConnect VPN access. The policy named Untrusted_VPN_Access permits only clientless VPN
access.
The ASDM path is Configuration > Remote Access VPN > Clientless SSL VPN Access > Dynamic
Access Policies > Add/Edit Dynamic Access Policy > Endpoint
Table 65-4 A Simple DAP Configuration for Network Resources
Attribute
Endpoint Attribute Type Policy
Endpoint Attribute Process
Advanced Endpoint Assessment
CSD Location
LDAP memberOf
ACL
Access
Using DAP to Apply a WebVPN ACL
DAP can directly enforce a subset of access policy attributes including Network ACLs (for IPsec and
AnyConnect), clientless SSL VPN Web-Type ACLs, URL lists, and Functions. It cannot directly
enforce, for example, a banner or the split tunnel list, which the group policy enforces. The Access
Policy Attributes tabs in the Add/Edit Dynamic Access Policy pane provide a complete menu of the
attributes DAP directly enforces.
Active Directory/LDAP stores user group policy membership as the "memberOf" attribute in the user
entry. You can define a DAP such that for a user in AD group (memberOf) = Engineering the adaptive
security appliance applies a configured Web-Type ACL. To accomplish this task, perform the following
steps:
Navigate to the Add AAA attributes pane (Configuration > Remote Access VPN > Clientless SSL VPN
Step 1
Access > Dynamic Access Policies > Add/Edit Dynamic Access Policy > AAA Attributes section > Add
AAA Attribute).
For the AAA Attribute type, use the drop-down menu to choose LDAP.
Step 2
In the Attribute ID field, enter memberOf, exactly as you see it here. Case is important.
Step 3
In the Value field, use the drop-down menu to choose =, and in the adjacent field enter Engineering.
Step 4
In the Access Policy Attributes area of the pane, click the Web-Type ACL Filters tab.
Step 5
Use the Web-Type ACL drop-down menu to select the ACL you want to apply to users in the AD group
Step 6
(memberOf) = Engineering.
OL-20339-01
Table 65-4 summarizes the configuration of each of these policies.
Trusted_VPN_Access
Trusted
ieexplore.exe
AntiVirus= McAfee Attribute
Trusted
Engineering, Managers
AnyConnect and Web Portal
Understanding VPN Access Policies
Untrusted_VPN_Access
Untrusted
—
Untrusted
Vendors
Web-Type ACL
Web Portal
Cisco ASA 5500 Series Configuration Guide using ASDM
65-29