Cisco Secure Desktop Configuration Guide for Cisco ASA 5500 Series Administrators, Release 3.5
Using Match Criteria to Configure Dynamic Access Policies
Downloads: This chapterpdf (PDF - 224.0KB) The complete bookPDF (PDF - 1.59MB) | Feedback

Using Match Criteria to Configure Dynamic Access Policies

Table Of Contents

Using Match Criteria to Configure Dynamic Access Policies

Configuring Dynamic Access Policies

Specifying Windows 7 in a Dynamic Access Policy

Lua Expressions for Mobile Device Posture Assessment

Device Operating System Checks

Device Architecture Checks

Device Lock Status

Device Lock Disabled

Device Lock Enabled

Device Lock Active

Device Lock Is Not Active

Device Lock Timeout Too Large

Device Lock Timeout Too Small

Device Lock Age Too Large

Device Lock Age Too Small

Device Lock Complexity Numeric

Device Lock Complexity Strong

Secondary Storage Status

Secondary Storage Encryption Exists

Secondary Storage Encryption Disabled

Secondary Storage Encryption Enabled

Password Checks

Password Length Too Small

Password Length Too Large

Password Strength Weak

Password Strength Strong

Password Strength Strong/Weak

SIM Policy

SIM Locking Ability

SIM Locking Ability Is Enabled

SIM Locking Ability Is Not Enabled

SIM Lock Is Active

SIM Lock Is Not Active

GPS Hardware and Location Checks

GPS Hardware Exists

GPS Hardware Does Not Exist

GPS Hardware Is Enabled

GPS Hardware Is Disabled

GPS Latitude Check

GPS Longitude Check

Application Checks

Application Installed Check

Application Is Not Installed Check

Bluetooth® Hardware and Status Checks

Bluetooth Hardware Exists Check

Bluetooth Hardware Does Not Exist Check

Bluetooth Is Enabled Check

Bluetooth Is Not Enabled Check

Bluetooth State Is In "Discoverable" State Check

Bluetooth State Is In "Hidden" State Check


Using Match Criteria to Configure Dynamic Access Policies


You can match Host Scan results, prelogin policies, basic Host Scan entries, or any combination of these criteria with any other policy attributes you specify to grant access rights to users dynamically.

To learn more about Lua expressions in Dynamic Access Policies, see the section on "Configuring Dynamic Access Policies" in Cisco Security Appliance Configuration Guide Using ASDM.

Configuring Dynamic Access Policies


Step 1 Choose Configuration > Remote Access VPN > Network (Client) Access or Clientless SSL VPN Access > Dynamic Access Policies > Add or Edit.

The Add or Edit Dynamic Policy window opens (Figure 7-1).

Figure 7-1 Add Dynamic Access Policy

Step 2 Use the Policy Name field at the top of the window to name the DAP.

Step 3 Select the ANY, ALL, or NONE option in the drop-down list on the left side of the Selection Criteria area.

Step 4 Click the Add button on the left to specify AAA attribute type and values, then click OK. Repeat for each AAA attribute to use for this DAP.

Step 5 Move the mouse to the right of the Endpoint Attribute table and click Add.

The Add Endpoint Attribute window opens (Figure 7-2).

Figure 7-2 Add Endpoint Attribute


Note If the Endpoint Assessment or Advanced Endpoint Assessment option on the Secure Desktop Manager > Host Scan pane is checked and you select Antispyware, Antivirus, or Personal Firewall, ASDM populates the Vendor ID and Vendor Description drop-down menus. Otherwise, it shows blank fields next to the Vendor ID and Vendor Description attribute names.


Step 6 Select one of the following values next to Endpoint Attribute Type:

Antispyware (active only if you checked a Host Scan extension in the Host Scan pane)

Antivirus (active only if you checked a Host Scan extension in the Host Scan pane)

Application allows you to match the VPN application in use.

File specified in the Basic Host Scan table in the Secure Desktop Manager > Host Scan pane.

Device to specify any of the following: host name, MAC address, port number, privacy protection for Cache Cleaner or Secure Desktop, version of CSD, and version of the Endpoint Assessment.

NAC allows you to match the posture status as defined by your AAA server.

Operating System allows you to match the operating system version, service pack, and hot fix version.

Personal Firewall (active only if you checked a Host Scan extension in the Host Scan pane)

Policy allows you to match existing prelogin policies defined in ASDM.

Process specified in the Basic Host Scan table in the Secure Desktop Manager > Host Scan pane

Registry (key) specified in the Basic Host Scan table in the Secure Desktop Manager > Host Scan pane

The Add Endpoint Attribute window displays the attributes and options associated with the Endpoint Attribute Value you select.

Step 7 Select the value of the endpoint attribute type and configure any match criteria associated with that value that you want to require.

Step 8 Click OK.

The Add or Edit Endpoint Attribute window closes, leaving the Add or Edit Dynamic Policy window open.

Step 9 Complete the configuration of any other endpoint attributes to specify any other criteria you want to use to identify the remote access devices for which the DAP applies.

Step 10 Click Continue or Terminate in the Action tab to specify whether to assign the attributes of this policy to sessions that match its criteria or terminate those sessions.

Step 11 (Optional) Enter a text message in the User Message box. See the online help for details.

Step 12 Set the attribute values in the tabs at the bottom of the Add Dynamic Access Policy window to configure access rights and restrictions as described in the online help, and click OK.


Specifying Windows 7 in a Dynamic Access Policy

You can test for Windows 7 in a dynamic access policy, either through the ASDM GUI or by using a Lua expression.

Specifying Windows 7 as an Endpoint Attribute in the ASDM GUI

You will be able to specify Windows 7 as an endpoint attribute, using the ASDM GUI, if you are using ASDM version 6.2.(5) on an ASA running ASA version 8.2.2 or earlier.

Figure 7-3 Windows 7 specified as an endpoint attribute using ASDM GUI

Specifying Windows 7 as an Operating System Attribute Using a Lua expression

If you are running a version of ASDM which is earlier that 6.2(5), on your ASA, you can still use a DAP to check for the Windows 7 OS but you will need to do this using a Lua expression.

This Lua expression is true if the operating system on the endpoint is Windows 7.

(EVAL(endpoint.os.version,"EQ","Windows 7","string"))

Figure 7-4 Windows 7 specified in a Lua expression

Lua Expressions for Mobile Device Posture Assessment

Use Dynamic Access Policies (DAPs) to gather posture information from Windows mobile devices. DAPs are written in the Lua language and are most easily configured using the ASDM interface for the ASA. See the Configuring Dynamic Access Policies chapter of the Cisco Security Appliance Configuration Guide Using ASDM to learn more about configuring DAP.

This section provides many examples of Lua expressions you can use to write DAPs to gather mobile device posture information.

Device Operating System Checks

Device Architecture Checks

Device Lock Status

Secondary Storage Status

Password Checks

SIM Policy

GPS Hardware and Location Checks

Application Checks

Bluetooth® Hardware and Status Checks

All these test cases require CSD 3.5. Advanced DAP LUA scripts are required below until ASDM DAP GUI can include this capability.

Device Operating System Checks

This expression is true if the mobile device is running Windows Mobile 5, 6, 6.1, 6.1.4, or 6.5 operating system.

(
  EVAL(endpoint.os.version, "EQ", "Windows Mobile 5", "string")  or
  EVAL(endpoint.os.version, "EQ", "Windows Mobile 6", "string")  or
  EVAL(endpoint.os.version, "EQ", "Windows Mobile 6.1", "string") or
  EVAL(endpoint.os.version, "EQ", "Windows Mobile 6.1.4", "string") or
  EVAL(endpoint.os.version, "EQ", "Windows Mobile 6.5", "string")
)

Device Architecture Checks

These expressions check to see what architecture the endpoint is running.

Possible values for a desktop: "x64", "x86", "ia64", "ppc" and "unknown". Possible values for Windows Mobile are: "arm" and "unknown".

If the mobile device has one of these architectures, the expression is true.

(
  EVAL(endpoint.os.architecture,"EQ","arm","string") or
  EVAL(endpoint.os.architecture,"EQ","x86","string") or
  EVAL(endpoint.os.architecture,"EQ","x64","string") or
  EVAL(endpoint.os.architecture,"EQ","ia64","string") or
  EVAL(endpoint.os.architecture,"EQ","ppc","string") or
  EVAL(endpoint.os.architecture,"EQ","unknown","string")
)

Device Lock Status

These are Lua expressions that evaluate device lock status:

Device Lock Disabled

Device Lock Enabled

Device Lock Active

Device Lock Is Not Active

Device Lock Timeout Too Large

Device Lock Timeout Too Small

Device Lock Age Too Large

Device Lock Age Too Small

Device Lock Complexity Numeric

Device Lock Complexity Strong

Device Lock Disabled

This expression is true if the device lock feature is disabled on the device.

(
  EVAL(endpoint.device.devicelock["DeviceLock"].enabled,"EQ","false","string")
)

Device Lock Enabled

This expression is true if the device lock feature is enabled on the device.

(
  EVAL(endpoint.device.devicelock["DeviceLock"].enabled,"EQ","true","string")
)

Device Lock Active

This expression is true if the device is locked.

(
  EVAL(endpoint.device.devicelock["DeviceLock"].active,"EQ","true","string")
)

Device Lock Is Not Active

This expression is true if the device is unlocked.

(
  EVAL(endpoint.device.devicelock["DeviceLock"].active,"EQ","false","string")
)

Device Lock Timeout Too Large

The device lock timeout is the interval, in minutes, after which the device auto-locks itself. This expression is true if the device lock timeout is greater than ten minutes.

(
  EVAL(endpoint.device.devicelock["DeviceLock"].timeoutmins,"GT","10","integer")
)

Device Lock Timeout Too Small

The device lock timeout is the interval, in minutes, after which the device auto-locks itself. This expression is true if the device lock timeout is less than ten minutes.

(
  EVAL(endpoint.device.devicelock["DeviceLock"].timeoutmins,"LT","10","integer")
)

Device Lock Age Too Large

The device lock age is the interval, in seconds, since the last device PIN change occurred. This expression is true if the device lock age is greater than 432000 seconds (5 days).

(
  EVAL(endpoint.device.devicelock["DeviceLock"].age,"GT","432000","integer")
)

Device Lock Age Too Small

The device lock age is the interval, in seconds, since the last device PIN change occurred. This expression is true if the device lock age is less than 432000 seconds (5 days).

(
  EVAL(endpoint.device.devicelock["DeviceLock"].age,"LT","432000","integer")
)

Device Lock Complexity Numeric

A simple PIN is a password that uses only numbers and is at least four digits long. This expression is true if the device has a password that is at least four digits long and made up of numbers only.

(
  EVAL(endpoint.device.devicelock["DeviceLock"].complexity,"EQ","numeric","string"))
)

Device Lock Complexity Strong

A strong PIN is an alphanumeric password; it can have uppercase and lowercase letters, numbers, and symbols. This expression is true if the device has a password that is made up of lowercase letters, numbers, and symbols.

(
  EVAL(endpoint.device.devicelock["DeviceLock"].complexity,"EQ","strong","string"))
)

Secondary Storage Status

These are Lua expressions that evaluate secondary storage status:

Secondary Storage Encryption Exists

Secondary Storage Encryption Disabled

Secondary Storage Encryption Enabled

Secondary Storage Encryption Exists

This expression is true if the device can encrypt a secondary storage card.

(
  EVAL(endpoint.device.autoencryption["Auto-encryption"].exists,"EQ","true","string")
)

Secondary Storage Encryption Disabled

This expression is true if encryption on the secondary storage card is disabled.

(
  EVAL(endpoint.device.autoencryption["Auto-encryption"].enabled,"EQ","false","string")
)

Secondary Storage Encryption Enabled

This expression is true if the encryption on the secondary storage card is enabled.

(
  EVAL(endpoint.device.autoencryption["Auto-encryption"].enabled,"EQ","true","string")
)

Password Checks

These are Lua expressions that evaluate password characteristics:

Password Length Too Small

Password Length Too Large

Password Strength Weak

Password Strength Strong

Password Strength Strong/Weak

Password Length Too Small

This expression is true if the device password is less than 4 characters.

(
  EVAL(endpoint.device.devicelock["DeviceLock"].policylength,"LT","4","integer")
)

Password Length Too Large

This expression is true if the device password is greater than 4 characters

(
  EVAL(endpoint.device.devicelock["DeviceLock"].policylength,"GT","4","integer")
)

Password Strength Weak

This expression is true if the password strength is weak as defined by the exchange server.

(
  EVAL(endpoint.device.devicelock["DeviceLock"].policycomplexity,"EQ","numeric","string")
)

Password Strength Strong

This expression is true if the password strength is strong as defined by the exchange server.

(
  EVAL(endpoint.device.devicelock["DeviceLock"].policycomplexity,"EQ","strong","string")
)

Password Strength Strong/Weak

Normally set by exchange server.

(
  EVAL(endpoint.device.devicelock["DeviceLock"].policycomplexity,"EQ","alphanumeric", 
"string")
)

SIM Policy

These are Lua expressions that evalute SIM card characteristics:

SIM Locking Ability

SIM Locking Ability Is Enabled

SIM Locking Ability Is Not Enabled

SIM Lock Is Active

SIM Lock Is Not Active

SIM Locking Ability

This expression is true if the device has the ability to lock the SIM.

(
  EVAL(endpoint.device.simpinlock["SIM"].exists,"EQ","true","string")
)

SIM Locking Ability Is Enabled

This expression is true if the SIM card has a PIN.

(
  EVAL(endpoint.device.simpinlock["SIM"].enabled,"EQ","true","string")
)

SIM Locking Ability Is Not Enabled

This expression is true if the SIM card does not have a PIN.

(
  EVAL(endpoint.device.simpinlock["SIM"].enabled,"EQ","false","string")
)

SIM Lock Is Active

This expression is true if the SIM card is in a locked state.

(
  EVAL(endpoint.device.simpinlock["SIM"].active,"EQ","true","string")
)

SIM Lock Is Not Active

This expression is true if the SIM card is not in a locked state.

(
  EVAL(endpoint.device.simpinlock["SIM"].active,"EQ","false","string")
)

GPS Hardware and Location Checks

Host Scan does not wait for the GPS device to activate in order to retrieve location information. It reports the latest GPS location if the GPS device is active and has a GPS fix.

If the GPS hardware is off, hostscan does not switch it on. It uses the cached location information at the timestamp noted. If the mobile device has erased or invalidated latitude and longitude information, it will not be reported to hostscan.

These are Lua expressiosn that evaluate mobile device location:

GPS Hardware Exists

GPS Hardware Does Not Exist

GPS Hardware Is Enabled

GPS Hardware Is Disabled

GPS Latitude Check

GPS Longitude Check

GPS Hardware Exists

This expression is true if GPS hardware exists on the device.

(
  EVAL(endpoint.device.gps["GPS"].exists,"EQ","true","string")
)

GPS Hardware Does Not Exist

This expression is true if GPS hardware does not exist on the device.

(
  EVAL(endpoint.device.gps["GPS"].exists,"EQ","false","string")
)

GPS Hardware Is Enabled

This expression is true if GPS hardware is enabled on the device.

(
  EVAL(endpoint.device.gps["GPS"].enabled,"EQ","true","string")
)

GPS Hardware Is Disabled

This expression is true if GPS hardware is disabled on the device.

(
  EVAL(endpoint.device.gps["GPS"].state,"EQ","off","string")
)

GPS Latitude Check

The GPS must have a satellite fix in order for Host Scan to return the latitude. This expression is true if the device's latitude is greater than 40 degrees north and less than 45 degrees north.

(
  EVAL(endpoint.device.gps["GPS"].latitude,"GT","40.0","integer")and
  EVAL(endpoint.device.gps["GPS"].latitude,"LT","45.0","integer")
)

GPS Longitude Check

The GPS must have a satellite fix in order for Host Scan to return the longitude. This expression is true if the device's longitude is less than 75 degrees west longitude and greater than 70 degrees west longitude.

(
  EVAL(endpoint.device.gps["GPS"].longitude,"LT","-70.0","integer")and
  EVAL(endpoint.device.gps["GPS"].longitude,"GT","-75.0","integer")
)

Application Checks

These Lua expressiosn evaluate applications installed on the mobile device:

Application Installed Check

Application Is Not Installed Check

Application Installed Check

This expression is true if a specific application, Cisco AnyConnect Mobile VPN Client, is installed on the device.

(
  EVAL(endpoint.device.application["Cisco AnyConnect Mobile VPN Client"]."EQ","true")
)

Application Is Not Installed Check

This expression is true if a specific application, Bad Application, is not installed on the device.

(
  EVAL(endpoint.device.application["Bad Application"],"NE","true")
)

Bluetooth® Hardware and Status Checks

These Lua expressions evaluate Bluetooth hardware status:

Bluetooth Hardware Exists Check

Bluetooth Hardware Does Not Exist Check

Bluetooth Is Enabled Check

Bluetooth Is Not Enabled Check

Bluetooth State Is In "Discoverable" State Check

Bluetooth State Is In "Hidden" State Check

Bluetooth Hardware Exists Check

This expression is true if Bluetooth hardware exists on the device.

(
  EVAL(endpoint.device.bluetooth["Bluetooth"].exists,"EQ","true","string")
)

Bluetooth Hardware Does Not Exist Check

This expression is true if Bluetooth hardware does not exist on the device.

(
  EVAL(endpoint.device.bluetooth["Bluetooth"].exists,"NE","true","string")
)

Bluetooth Is Enabled Check

This expression is true if Bluetooth is enabled on the device.

(
  EVAL(endpoint.device.bluetooth["Bluetooth"].enabled,"EQ","true","string")
)

Bluetooth Is Not Enabled Check

This expression is true if Bluetooth is disabled on the device.

(
  EVAL(endpoint.device.bluetooth["Bluetooth"].enabled,"NE","true","string")
)

Bluetooth State Is In "Discoverable" State Check

This expression is true if Bluetooth state is in "Discoverable" mode on the device.

(
  EVAL(endpoint.device.bluetooth["Bluetooth"].state,"EQ","discoverable","string")
)

Bluetooth State Is In "Hidden" State Check

This expression is true if Bluetooth state is in "Hidden" mode on the device.

(
  EVAL(endpoint.device.bluetooth["Bluetooth"].state,"EQ","hidden","string")
)