Cisco Cisco ASA 5580 Adaptive Security Appliance Data Sheet
unmanaged or untrusted environment, determining selection criteria necessary to identify the connecting
endpoint, and based on endpoint assessment and/or AAA credentials, which network resources the
connecting user will be authorized to access. To accomplish this, you will first need to become familiar
with DAP features and functions as shown in Figure 4.
endpoint, and based on endpoint assessment and/or AAA credentials, which network resources the
connecting user will be authorized to access. To accomplish this, you will first need to become familiar
with DAP features and functions as shown in Figure 4.
Figure 4. Dynamic Access Policy
When configuring a DAP record, there are two major components to consider:
Selection Criteria including Advanced Options
Access Policy Attributes
The Selection Criteria section is where an administrator would configure AAA and Endpoint attributes used
to select a specific DAP record. A DAP record is used when a user’s authorization attributes match the
AAA attribute criteria and every endpoint attribute has been satisfied.
to select a specific DAP record. A DAP record is used when a user’s authorization attributes match the
AAA attribute criteria and every endpoint attribute has been satisfied.
For example, if the AAA Attribute Type: LDAP (Active Directory) is selected, the Attribute Name string is
memberOf and the Value string is Contractors, as shown in Figure 5a, the authenticating user must be a
member of the Active Directory group Contractors to match the AAA attribute criteria.
memberOf and the Value string is Contractors, as shown in Figure 5a, the authenticating user must be a
member of the Active Directory group Contractors to match the AAA attribute criteria.
In addition to satisfying the AAA attribute criteria, the authenticating user will also be required to satisfy the
endpoint attribute criteria. For example, if the administrator configured Cisco Secure Desktop (CSD) to
determine the posture of the connecting endpoint and based on that posture assessment, the endpoint
was placed in the CSD Location Unmanaged, the administrator could then use this assessment
information as selection criteria for the endpoint attribute shown in Figure 5b.
endpoint attribute criteria. For example, if the administrator configured Cisco Secure Desktop (CSD) to
determine the posture of the connecting endpoint and based on that posture assessment, the endpoint
was placed in the CSD Location Unmanaged, the administrator could then use this assessment
information as selection criteria for the endpoint attribute shown in Figure 5b.
Figure 5a. AAA Attribute Criteria
Figure 5b. Endpoint Attribute Criteria
Page 3 of 25
ASA 8.x Dynamic Access Policies (DAP) Deployment Guide - Cisco Systems
3/9/2012
http://kbase/paws/servlet/ViewFile/108000/dap-deploy-guide.xml?convertPaths=1