Cisco Cisco ASA 5585-X Adaptive Security Appliance 데이터 시트
Thus, to match the DAP record shown in Figure 6, the authenticating user must be a member of the
Contractors Active Directory group and its connecting endpoint must satisfy the CSD policy value
“Unchanged,” to be assigned the DAP record.
Contractors Active Directory group and its connecting endpoint must satisfy the CSD policy value
“Unchanged,” to be assigned the DAP record.
Figure 6. AAA and Endpoint Attribute Criteria Match
AAA and Endpoint attributes can be created using the tables as described in Figure 6 and/or by expanding
the Advanced option to specify a logical expression as shown in Figure 7. Currently, the logical expression
is constructed with EVAL functions, for example, EVAL (endpoint.av.McAfeeAV.exists,"EQ","true","string")
and EVAL (endpoint.av.McAfeeAV.description,"EQ","McAfee VirusScan Enterprise","string"), that
represent AAA and/or endpoint selection logical operations.
the Advanced option to specify a logical expression as shown in Figure 7. Currently, the logical expression
is constructed with EVAL functions, for example, EVAL (endpoint.av.McAfeeAV.exists,"EQ","true","string")
and EVAL (endpoint.av.McAfeeAV.description,"EQ","McAfee VirusScan Enterprise","string"), that
represent AAA and/or endpoint selection logical operations.
Logical Expressions are useful for adding selection criteria other than what is possible in the AAA and
endpoint attribute areas above. For example, while you can configure the security appliances to use AAA
attributes that satisfy any, all or none of the specified criteria, endpoint attributes are cumulative, and must
all be satisfied. To let the security appliance employ one endpoint attribute or another, you need to create
appropriate logical expressions under the Advanced section of the DAP record.
endpoint attribute areas above. For example, while you can configure the security appliances to use AAA
attributes that satisfy any, all or none of the specified criteria, endpoint attributes are cumulative, and must
all be satisfied. To let the security appliance employ one endpoint attribute or another, you need to create
appropriate logical expressions under the Advanced section of the DAP record.
Figure 7. Logical Expression GUI for Advanced Attribute creation
The Access Policy Attributes section as shown in Figure 8 is where an administrator would configure VPN
access attributes for a specific DAP record. When a user’s authorization attributes match the AAA,
Endpoint and/or Logical Expression criteria; the configured access policy attribute values in this section
will be enforced. Attribute values specified here will override those values obtained from the AAA system,
including those in existing user, group, tunnel group, and default group records.
access attributes for a specific DAP record. When a user’s authorization attributes match the AAA,
Endpoint and/or Logical Expression criteria; the configured access policy attribute values in this section
will be enforced. Attribute values specified here will override those values obtained from the AAA system,
including those in existing user, group, tunnel group, and default group records.
A DAP record has a limited set of attribute values that can be configured. These values fall under the
following tabs as shown in the Figures 8 through 14:
following tabs as shown in the Figures 8 through 14:
Figure 8. Action —Specifies special processing to apply to a specific connection or session.
Page 4 of 25
ASA 8.x Dynamic Access Policies (DAP) Deployment Guide - Cisco Systems
3/9/2012
http://kbase/paws/servlet/ViewFile/108000/dap-deploy-guide.xml?convertPaths=1