Cisco Cisco ASA 5525-X Adaptive Security Appliance 데이터 시트
Products & Services
ASA 8.x Dynamic Access Policies (DAP) Deployment Guide
Document ID: 108000
Introduction
Virtual Private Network (VPN) gateways operate in dynamic environments. Multiple variables can affect
each VPN connection; for example, intranet configurations that frequently change, the various roles each
user may inhabit within an organization, and logins from remote access sites with different configurations
and levels of security. The task of authorizing users is much more complicated in a dynamic VPN
environment than it is in a network with a static configuration.
each VPN connection; for example, intranet configurations that frequently change, the various roles each
user may inhabit within an organization, and logins from remote access sites with different configurations
and levels of security. The task of authorizing users is much more complicated in a dynamic VPN
environment than it is in a network with a static configuration.
Dynamic access policies (DAP), a new feature introduced in software release v8.0 code of the Adaptive
Security Appliance (ASA), enable you to configure authorization that addresses the dynamics of VPN
environments. You create a dynamic access policy by setting a collection of access control attributes that
you associate with a specific user tunnel or session. These attributes address issues of multiple group
membership and endpoint security.
Security Appliance (ASA), enable you to configure authorization that addresses the dynamics of VPN
environments. You create a dynamic access policy by setting a collection of access control attributes that
you associate with a specific user tunnel or session. These attributes address issues of multiple group
membership and endpoint security.
For example, the security appliance grants access to a particular user for a particular session based on
the policies you define. It generates a DAP during user authentication by selecting and/or aggregating
attributes from one or more DAP records. It selects these DAP records based on the endpoint security
information of the remote device and/or AAA authorization information for the authenticated user. It then
applies the DAP record to the user tunnel or session.
the policies you define. It generates a DAP during user authentication by selecting and/or aggregating
attributes from one or more DAP records. It selects these DAP records based on the endpoint security
information of the remote device and/or AAA authorization information for the authenticated user. It then
applies the DAP record to the user tunnel or session.
Note: The dap.xml file, which contains the DAP policies selection attributes, is stored in the ASA's flash.
Although you can export the dap.xml file off-box, edit it (if you know about xml syntax), and re-import it
back, be very careful, because you can cause ASDM to stop processing DAP records if you have
misconfigured something. There is no CLI to manipulate this part of the configuration.
Although you can export the dap.xml file off-box, edit it (if you know about xml syntax), and re-import it
back, be very careful, because you can cause ASDM to stop processing DAP records if you have
misconfigured something. There is no CLI to manipulate this part of the configuration.
Note: Trying to configure the dynamic-access-policy-record access parameters via the CLI can cause
DAP to stop working although ASDM would correctly manage the same. Avoid the CLI, and always use
ASDM to manage DAP policies.
DAP to stop working although ASDM would correctly manage the same. Avoid the CLI, and always use
ASDM to manage DAP policies.
DAP and AAA Attributes
DAP complements AAA services and provides a limited set of authorization attributes that can override
attributes that AAA provides. The security appliance can select DAP records based on the AAA
authorization information for the user. The security appliance can select multiple DAP records depending
on this information, which it then aggregates to assign DAP authorization attributes.
attributes that AAA provides. The security appliance can select DAP records based on the AAA
authorization information for the user. The security appliance can select multiple DAP records depending
on this information, which it then aggregates to assign DAP authorization attributes.
You can specify AAA attributes from the Cisco AAA attribute hierarchy, or from the full set of response
attributes that the security appliance receives from a RADIUS or LDAP server as shown in Figure 1.
attributes that the security appliance receives from a RADIUS or LDAP server as shown in Figure 1.
Figure 1. DAP AAA Attribute GUI
Contents
Introduction
DAP and AAA Attributes
DAP and Endpoint Security Attributes
Default Dynamic Access Policy
Configuring Dynamic Access Policies
Aggregating Multiple Dynamic Access Policies
DAP Implementation
Conclusion
Cisco Support Community - Featured Conversations
Related Information
Page 1 of 25
ASA 8.x Dynamic Access Policies (DAP) Deployment Guide - Cisco Systems
3/9/2012
http://kbase/paws/servlet/ViewFile/108000/dap-deploy-guide.xml?convertPaths=1