Cisco Secure Desktop Configuration Guide for Cisco ASA 5500 Series Administrators, Release 3.4.1
Using Match Criteria to Configure Dynamic Access Policies
Downloads: This chapterpdf (PDF - 379.0KB) The complete bookPDF (PDF - 2.28MB) | Feedback

Using Match Criteria to Configure Dynamic Access Policies

Table Of Contents

Using Match Criteria to Configure Dynamic Access Policies


Using Match Criteria to Configure Dynamic Access Policies


You can match Host Scan results, prelogin policies, basic Host Scan entries, or any combination of these criteria with any other policy attributes you specify to grant access rights to users dynamically.

Configure DAPs as follows:


Step 1 Choose Configuration > Remote Access VPN > Network (Client) Access or Clientless SSL VPN Access > Dynamic Access Policies > Add or Edit.

The Add or Edit Dynamic Policy window opens (Figure 7-1).

Figure 7-1 Add Dynamic Access Policy

Step 2 Use the Policy Name field at the top of the window to name the DAP.

Step 3 Select the ANY, ALL, or NONE option in the drop-down list on the left side of the Selection Criteria area.

Step 4 Click the Add button on the left to specify AAA attribute type and values, then click OK. Repeat for each AAA attribute to use for this DAP.

Step 5 Move the mouse to the right of the Endpoint Attribute table and click Add.

The Add Endpoint Attribute window opens (Figure 7-2).

Figure 7-2 Add Endpoint Attribute


Note If the Endpoint Assessment or Advanced Endpoint Assessment option on the Secure Desktop Manager > Host Scan pane is checked and you select Antispyware, Antivirus, or Personal Firewall, ASDM populates the Vendor ID and Vendor Description drop-down menus. Otherwise, it shows blank fields next to the Vendor ID and Vendor Description attribute names.


Step 6 Select one of the following values next to Endpoint Attribute Type:

Antispyware (active only if you checked a Host Scan extension in the Host Scan pane)

Antivirus (active only if you checked a Host Scan extension in the Host Scan pane)

Device to specify any of the following: host name, MAC address, port number, privacy protection for Cache Cleaner or Secure Desktop, version of CSD, and version of the Endpoint Assessment.

File specified in the Basic Host Scan table in the Secure Desktop Manager > Host Scan pane

Operating System

Process specified in the Basic Host Scan table in the Secure Desktop Manager > Host Scan pane

Personal Firewall (active only if you checked a Host Scan extension in the Host Scan pane)

Policy to match a configured prelogin policy

Registry (key) specified in the Basic Host Scan table in the Secure Desktop Manager > Host Scan pane

The Add Endpoint Attribute window displays the attributes and options associated with the Endpoint Attribute Value you select.

Step 7 Select the value of the endpoint attribute type and configure any match criteria associated with that value that you want to require.

Step 8 Click OK.

The Add or Edit Endpoint Attribute window closes, leaving the Add or Edit Dynamic Policy window open.

Step 9 Complete the configuration of any other endpoint attributes to specify any other criteria you want to use to identify the remote access devices for which the DAP applies.

Step 10 Click Continue or Terminate in the Action tab to specify whether to assign the attributes of this policy to sessions that match its criteria or terminate those sessions.

Step 11 (Optional) Enter a text message in the User Message box. See the online help for details.

Step 12 Set the attribute values in the tabs at the bottom of the Add Dynamic Access Policy window to configure access rights and restrictions as described in the online help, and click OK.