Cisco Cisco ASA 5585-X Adaptive Security Appliance 데이터 시트
DAP and Endpoint Security Attributes
In addition to AAA attributes, the security appliance can also obtain endpoint security attributes by using
posture assessment methods that you configure. These include Basic Host Scan, Secure Desktop,
Standard/Advanced Endpoint Assessment and NAC as shown in Figure 2. Endpoint Assessment
Attributes are obtained and sent to the security appliance prior to user authentication. However, AAA
Attributes, including the overall DAP record, are validated during user authentication.
posture assessment methods that you configure. These include Basic Host Scan, Secure Desktop,
Standard/Advanced Endpoint Assessment and NAC as shown in Figure 2. Endpoint Assessment
Attributes are obtained and sent to the security appliance prior to user authentication. However, AAA
Attributes, including the overall DAP record, are validated during user authentication.
Figure 2. Endpoint Attribute GUI
Default Dynamic Access Policy
Prior to the introduction and implementation of DAP, access policy attribute/value pairs that were
associated with a specific user tunnel or session were defined either locally on the ASA, i.e., (Tunnel
Groups and Group Policies) or mapped via external AAA servers. However, in the v8.0 release, DAP can
be configured to complement or override both local and external access policies.
associated with a specific user tunnel or session were defined either locally on the ASA, i.e., (Tunnel
Groups and Group Policies) or mapped via external AAA servers. However, in the v8.0 release, DAP can
be configured to complement or override both local and external access policies.
DAP is always enforced by default. However, for administrators who prefer the legacy policy enforcement
method, for example, enforcing access control via Tunnel Groups, Group Policies and AAA without the
explicit enforcement of DAP can still obtain this behavior. For legacy behavior, no configuration changes to
the DAP feature, including the default DAP record, DfltAccessPolicy, are required as shown in Figure 3.
method, for example, enforcing access control via Tunnel Groups, Group Policies and AAA without the
explicit enforcement of DAP can still obtain this behavior. For legacy behavior, no configuration changes to
the DAP feature, including the default DAP record, DfltAccessPolicy, are required as shown in Figure 3.
Figure 3. Default Dynamic Access Policy
Nevertheless, if any of the default values in a DAP record are changed, for example, the Action: parameter
in the DfltAccessPolicy is changed from its default value to Terminate and additional DAP records are not
configured, authenticated users will, by default, match the DfltAccessPolicy DAP record and will be denied
VPN access.
in the DfltAccessPolicy is changed from its default value to Terminate and additional DAP records are not
configured, authenticated users will, by default, match the DfltAccessPolicy DAP record and will be denied
VPN access.
Consequently, one or more DAP records will need to be created and configured to authorize VPN
connectivity and define which network resources an authenticated user is authorized to access. Thus,
DAP, if configured, will take precedence over legacy policy enforcement.
connectivity and define which network resources an authenticated user is authorized to access. Thus,
DAP, if configured, will take precedence over legacy policy enforcement.
Configuring Dynamic Access Policies
When using DAP to define which network resources a user has access to, there are many parameters to
consider. For example, identifying whether the connecting endpoint is coming from a managed,
consider. For example, identifying whether the connecting endpoint is coming from a managed,
Page 2 of 25
ASA 8.x Dynamic Access Policies (DAP) Deployment Guide - Cisco Systems
3/9/2012
http://kbase/paws/servlet/ViewFile/108000/dap-deploy-guide.xml?convertPaths=1