Cisco Secure Desktop Configuration Guide for Cisco ASA 5500 Series Administrators, Release 3.5 - Using Match Criteria to Configure Dynamic Access Policies [Cisco Secure Desktop]

Table Of Contents

Using Match Criteria to Configure Dynamic Access Policies

Configuring Dynamic Access Policies

Specifying Windows 7 in a Dynamic Access Policy

Lua Expressions for Mobile Device Posture Assessment

Device Operating System Checks

Device Architecture Checks

Device Lock Status

Device Lock Disabled

Device Lock Enabled

Device Lock Active

Device Lock Is Not Active

Device Lock Timeout Too Large

Device Lock Timeout Too Small

Device Lock Age Too Large

Device Lock Age Too Small

Device Lock Complexity Numeric

Device Lock Complexity Strong

Secondary Storage Status

Secondary Storage Encryption Exists

Secondary Storage Encryption Disabled

Secondary Storage Encryption Enabled

Password Checks

Password Length Too Small

Password Length Too Large

Password Strength Weak

Password Strength Strong

Password Strength Strong/Weak

SIM Policy

SIM Locking Ability

SIM Locking Ability Is Enabled

SIM Locking Ability Is Not Enabled

SIM Lock Is Active

SIM Lock Is Not Active

GPS Hardware and Location Checks

GPS Hardware Exists

GPS Hardware Does Not Exist

GPS Hardware Is Enabled

GPS Hardware Is Disabled

GPS Latitude Check

GPS Longitude Check

Application Checks

Application Installed Check

Application Is Not Installed Check

Bluetooth® Hardware and Status Checks

Bluetooth Hardware Exists Check

Bluetooth Hardware Does Not Exist Check

Bluetooth Is Enabled Check

Bluetooth Is Not Enabled Check

Bluetooth State Is In "Discoverable" State Check

Bluetooth State Is In "Hidden" State Check

Using Match Criteria to Configure Dynamic Access Policies

You can match Host Scan results, prelogin policies, basic Host Scan entries, or any combination of these criteria with any other policy attributes you specify to grant access rights to users dynamically.

To learn more about Lua expressions in Dynamic Access Policies, see the section on "Configuring Dynamic Access Policies" in Cisco Security Appliance Configuration Guide Using ASDM.

Configuring Dynamic Access Policies

Step 1 Choose Configuration > Remote Access VPN > Network (Client) Access or Clientless SSL VPN Access > Dynamic Access Policies > Add or Edit.

The Add or Edit Dynamic Policy window opens (Figure 7-1).

Figure 7-1 Add Dynamic Access Policy

Step 2 Use the Policy Name field at the top of the window to name the DAP.

Step 3 Select the ANY, ALL, or NONE option in the drop-down list on the left side of the Selection Criteria area.

Step 4 Click the Add button on the left to specify AAA attribute type and values, then click OK. Repeat for each AAA attribute to use for this DAP.

Step 5 Move the mouse to the right of the Endpoint Attribute table and click Add.

The Add Endpoint Attribute window opens (Figure 7-2).

Figure 7-2 Add Endpoint Attribute

Note If the Endpoint Assessment or Advanced Endpoint Assessment option on the Secure Desktop Manager > Host Scan pane is checked and you select Antispyware, Antivirus, or Personal Firewall, ASDM populates the Vendor ID and Vendor Description drop-down menus. Otherwise, it shows blank fields next to the Vendor ID and Vendor Description attribute names.

Step 6 Select one of the following values next to Endpoint Attribute Type:

•Antispyware (active only if you checked a Host Scan extension in the Host Scan pane)

•Antivirus (active only if you checked a Host Scan extension in the Host Scan pane)

•Application allows you to match the VPN application in use.

•File specified in the Basic Host Scan table in the Secure Desktop Manager > Host Scan pane.

•Device to specify any of the following: host name, MAC address, port number, privacy protection for Cache Cleaner or Secure Desktop, version of CSD, and version of the Endpoint Assessment.

•NAC allows you to match the posture status as defined by your AAA server.

•Operating System allows you to match the operating system version, service pack, and hot fix version.

•Personal Firewall (active only if you checked a Host Scan extension in the Host Scan pane)

•Policy allows you to match existing prelogin policies defined in ASDM.

•Process specified in the Basic Host Scan table in the Secure Desktop Manager > Host Scan pane

•Registry (key) specified in the Basic Host Scan table in the Secure Desktop Manager > Host Scan pane

The Add Endpoint Attribute window displays the attributes and options associated with the Endpoint Attribute Value you select.

Step 7 Select the value of the endpoint attribute type and configure any match criteria associated with that value that you want to require.

Step 8 Click OK.

The Add or Edit Endpoint Attribute window closes, leaving the Add or Edit Dynamic Policy window open.

Step 9 Complete the configuration of any other endpoint attributes to specify any other criteria you want to use to identify the remote access devices for which the DAP applies.

Step 10 Click Continue or Terminate in the Action tab to specify whether to assign the attributes of this policy to sessions that match its criteria or terminate those sessions.

Step 11 (Optional) Enter a text message in the User Message box. See the online help for details.

Step 12 Set the attribute values in the tabs at the bottom of the Add Dynamic Access Policy window to configure access rights and restrictions as described in the online help, and click OK.

Specifying Windows 7 in a Dynamic Access Policy

You can test for Windows 7 in a dynamic access policy, either through the ASDM GUI or by using a Lua expression.

•Specifying Windows 7 as an Endpoint Attribute in the ASDM GUI

You will be able to specify Windows 7 as an endpoint attribute, using the ASDM GUI, if you are using ASDM version 6.2.(5) on an ASA running ASA version 8.2.2 or earlier.

Figure 7-3 Windows 7 specified as an endpoint attribute using ASDM GUI

•Specifying Windows 7 as an Operating System Attribute Using a Lua expression

If you are running a version of ASDM which is earlier that 6.2(5), on your ASA, you can still use a DAP to check for the Windows 7 OS but you will need to do this using a Lua expression.

This Lua expression is true if the operating system on the endpoint is Windows 7.
(EVAL(endpoint.os.version,"EQ","Windows 7","string"))
Figure 7-4 Windows 7 specified in a Lua expression

Lua Expressions for Mobile Device Posture Assessment

Use Dynamic Access Policies (DAPs) to gather posture information from Windows mobile devices. DAPs are written in the Lua language and are most easily configured using the ASDM interface for the ASA. See the Configuring Dynamic Access Policies chapter of the Cisco Security Appliance Configuration Guide Using ASDM to learn more about configuring DAP.

This section provides many examples of Lua expressions you can use to write DAPs to gather mobile device posture information.

•Device Operating System Checks

•Device Architecture Checks

•Device Lock Status

•Secondary Storage Status

•Password Checks

•SIM Policy

•GPS Hardware and Location Checks

•Application Checks

•Bluetooth® Hardware and Status Checks

All these test cases require CSD 3.5. Advanced DAP LUA scripts are required below until ASDM DAP GUI can include this capability.

Device Operating System Checks

This expression is true if the mobile device is running Windows Mobile 5, 6, 6.1, 6.1.4, or 6.5 operating system.
(
  EVAL(endpoint.os.version, "EQ", "Windows Mobile 5", "string")  or
  EVAL(endpoint.os.version, "EQ", "Windows Mobile 6", "string")  or
  EVAL(endpoint.os.version, "EQ", "Windows Mobile 6.1", "string") or
  EVAL(endpoint.os.version, "EQ", "Windows Mobile 6.1.4", "string") or
  EVAL(endpoint.os.version, "EQ", "Windows Mobile 6.5", "string")
)
Device Architecture Checks

These expressions check to see what architecture the endpoint is running.

Possible values for a desktop: "x64", "x86", "ia64", "ppc" and "unknown". Possible values for Windows Mobile are: "arm" and "unknown".

If the mobile device has one of these architectures, the expression is true.
(
  EVAL(endpoint.os.architecture,"EQ","arm","string") or
  EVAL(endpoint.os.architecture,"EQ","x86","string") or
  EVAL(endpoint.os.architecture,"EQ","x64","string") or
  EVAL(endpoint.os.architecture,"EQ","ia64","string") or
  EVAL(endpoint.os.architecture,"EQ","ppc","string") or
  EVAL(endpoint.os.architecture,"EQ","unknown","string")
)
Device Lock Status

These are Lua expressions that evaluate device lock status:

•Device Lock Disabled

•Device Lock Enabled

•Device Lock Active

•Device Lock Is Not Active

•Device Lock Timeout Too Large

•Device Lock Timeout Too Small

•Device Lock Age Too Large

•Device Lock Age Too Small

•Device Lock Complexity Numeric

•Device Lock Complexity Strong

Device Lock Disabled

This expression is true if the device lock feature is disabled on the device.
(
  EVAL(endpoint.device.devicelock["DeviceLock"].enabled,"EQ","false","string")
)
Device Lock Enabled

This expression is true if the device lock feature is enabled on the device.
(
  EVAL(endpoint.device.devicelock["DeviceLock"].enabled,"EQ","true","string")
)
Device Lock Active

This expression is true if the device is locked.
(
  EVAL(endpoint.device.devicelock["DeviceLock"].active,"EQ","true","string")
)
Device Lock Is Not Active

This expression is true if the device is unlocked.
(
  EVAL(endpoint.device.devicelock["DeviceLock"].active,"EQ","false","string")
)
Device Lock Timeout Too Large

The device lock timeout is the interval, in minutes, after which the device auto-locks itself. This expression is true if the device lock timeout is greater than ten minutes.
(
  EVAL(endpoint.device.devicelock["DeviceLock"].timeoutmins,"GT","10","integer")
)
Device Lock Timeout Too Small

The device lock timeout is the interval, in minutes, after which the device auto-locks itself. This expression is true if the device lock timeout is less than ten minutes.
(
  EVAL(endpoint.device.devicelock["DeviceLock"].timeoutmins,"LT","10","integer")
)
Device Lock Age Too Large

The device lock age is the interval, in seconds, since the last device PIN change occurred. This expression is true if the device lock age is greater than 432000 seconds (5 days).
(
  EVAL(endpoint.device.devicelock["DeviceLock"].age,"GT","432000","integer")
)
Device Lock Age Too Small

The device lock age is the interval, in seconds, since the last device PIN change occurred. This expression is true if the device lock age is less than 432000 seconds (5 days).
(
  EVAL(endpoint.device.devicelock["DeviceLock"].age,"LT","432000","integer")
)
Device Lock Complexity Numeric

A simple PIN is a password that uses only numbers and is at least four digits long. This expression is true if the device has a password that is at least four digits long and made up of numbers only.
(
  EVAL(endpoint.device.devicelock["DeviceLock"].complexity,"EQ","numeric","string"))
)
Device Lock Complexity Strong

A strong PIN is an alphanumeric password; it can have uppercase and lowercase letters, numbers, and symbols. This expression is true if the device has a password that is made up of lowercase letters, numbers, and symbols.
(
  EVAL(endpoint.device.devicelock["DeviceLock"].complexity,"EQ","strong","string"))
)
Secondary Storage Status

These are Lua expressions that evaluate secondary storage status:

•Secondary Storage Encryption Exists

•Secondary Storage Encryption Disabled

•Secondary Storage Encryption Enabled

Secondary Storage Encryption Exists

This expression is true if the device can encrypt a secondary storage card.
(
  EVAL(endpoint.device.autoencryption["Auto-encryption"].exists,"EQ","true","string")
)
Secondary Storage Encryption Disabled

This expression is true if encryption on the secondary storage card is disabled.
(
  EVAL(endpoint.device.autoencryption["Auto-encryption"].enabled,"EQ","false","string")
)
Secondary Storage Encryption Enabled

This expression is true if the encryption on the secondary storage card is enabled.
(
  EVAL(endpoint.device.autoencryption["Auto-encryption"].enabled,"EQ","true","string")
)
Password Checks

These are Lua expressions that evaluate password characteristics:

•Password Length Too Small

•Password Length Too Large

•Password Strength Weak

•Password Strength Strong

•Password Strength Strong/Weak

Password Length Too Small

This expression is true if the device password is less than 4 characters.
(
  EVAL(endpoint.device.devicelock["DeviceLock"].policylength,"LT","4","integer")
)
Password Length Too Large

This expression is true if the device password is greater than 4 characters
(
  EVAL(endpoint.device.devicelock["DeviceLock"].policylength,"GT","4","integer")
)
Password Strength Weak

This expression is true if the password strength is weak as defined by the exchange server.
(
  EVAL(endpoint.device.devicelock["DeviceLock"].policycomplexity,"EQ","numeric","string")
)
Password Strength Strong

This expression is true if the password strength is strong as defined by the exchange server.
(
  EVAL(endpoint.device.devicelock["DeviceLock"].policycomplexity,"EQ","strong","string")
)
Password Strength Strong/Weak

Normally set by exchange server.
(
  EVAL(endpoint.device.devicelock["DeviceLock"].policycomplexity,"EQ","alphanumeric", 
"string")
)
SIM Policy

These are Lua expressions that evalute SIM card characteristics:

•SIM Locking Ability

•SIM Locking Ability Is Enabled

•SIM Locking Ability Is Not Enabled

•SIM Lock Is Active

•SIM Lock Is Not Active

SIM Locking Ability

This expression is true if the device has the ability to lock the SIM.
(
  EVAL(endpoint.device.simpinlock["SIM"].exists,"EQ","true","string")
)
SIM Locking Ability Is Enabled

This expression is true if the SIM card has a PIN.
(
  EVAL(endpoint.device.simpinlock["SIM"].enabled,"EQ","true","string")
)
SIM Locking Ability Is Not Enabled

This expression is true if the SIM card does not have a PIN.
(
  EVAL(endpoint.device.simpinlock["SIM"].enabled,"EQ","false","string")
)
SIM Lock Is Active

This expression is true if the SIM card is in a locked state.
(
  EVAL(endpoint.device.simpinlock["SIM"].active,"EQ","true","string")
)
SIM Lock Is Not Active

This expression is true if the SIM card is not in a locked state.
(
  EVAL(endpoint.device.simpinlock["SIM"].active,"EQ","false","string")
)
GPS Hardware and Location Checks

Host Scan does not wait for the GPS device to activate in order to retrieve location information. It reports the latest GPS location if the GPS device is active and has a GPS fix.

If the GPS hardware is off, hostscan does not switch it on. It uses the cached location information at the timestamp noted. If the mobile device has erased or invalidated latitude and longitude information, it will not be reported to hostscan.

These are Lua expressiosn that evaluate mobile device location:

•GPS Hardware Exists

•GPS Hardware Does Not Exist

•GPS Hardware Is Enabled

•GPS Hardware Is Disabled

•GPS Latitude Check

•GPS Longitude Check

GPS Hardware Exists

This expression is true if GPS hardware exists on the device.
(
  EVAL(endpoint.device.gps["GPS"].exists,"EQ","true","string")
)
GPS Hardware Does Not Exist

This expression is true if GPS hardware does not exist on the device.
(
  EVAL(endpoint.device.gps["GPS"].exists,"EQ","false","string")
)
GPS Hardware Is Enabled

This expression is true if GPS hardware is enabled on the device.
(
  EVAL(endpoint.device.gps["GPS"].enabled,"EQ","true","string")
)
GPS Hardware Is Disabled

This expression is true if GPS hardware is disabled on the device.
(
  EVAL(endpoint.device.gps["GPS"].state,"EQ","off","string")
)
GPS Latitude Check

The GPS must have a satellite fix in order for Host Scan to return the latitude. This expression is true if the device's latitude is greater than 40 degrees north and less than 45 degrees north.
(
  EVAL(endpoint.device.gps["GPS"].latitude,"GT","40.0","integer")and
  EVAL(endpoint.device.gps["GPS"].latitude,"LT","45.0","integer")
)
GPS Longitude Check

The GPS must have a satellite fix in order for Host Scan to return the longitude. This expression is true if the device's longitude is less than 75 degrees west longitude and greater than 70 degrees west longitude.
(
  EVAL(endpoint.device.gps["GPS"].longitude,"LT","-70.0","integer")and
  EVAL(endpoint.device.gps["GPS"].longitude,"GT","-75.0","integer")
)
Application Checks

These Lua expressiosn evaluate applications installed on the mobile device:

•Application Installed Check

•Application Is Not Installed Check

Application Installed Check

This expression is true if a specific application, Cisco AnyConnect Mobile VPN Client, is installed on the device.
(
  EVAL(endpoint.device.application["Cisco AnyConnect Mobile VPN Client"]."EQ","true")
)
Application Is Not Installed Check

This expression is true if a specific application, Bad Application, is not installed on the device.
(
  EVAL(endpoint.device.application["Bad Application"],"NE","true")
)
Bluetooth® Hardware and Status Checks

These Lua expressions evaluate Bluetooth hardware status:

•Bluetooth Hardware Exists Check

•Bluetooth Hardware Does Not Exist Check

•Bluetooth Is Enabled Check

•Bluetooth Is Not Enabled Check

•Bluetooth State Is In "Discoverable" State Check

•Bluetooth State Is In "Hidden" State Check

Bluetooth Hardware Exists Check

This expression is true if Bluetooth hardware exists on the device.
(
  EVAL(endpoint.device.bluetooth["Bluetooth"].exists,"EQ","true","string")
)
Bluetooth Hardware Does Not Exist Check

This expression is true if Bluetooth hardware does not exist on the device.
(
  EVAL(endpoint.device.bluetooth["Bluetooth"].exists,"NE","true","string")
)
Bluetooth Is Enabled Check

This expression is true if Bluetooth is enabled on the device.
(
  EVAL(endpoint.device.bluetooth["Bluetooth"].enabled,"EQ","true","string")
)
Bluetooth Is Not Enabled Check

This expression is true if Bluetooth is disabled on the device.
(
  EVAL(endpoint.device.bluetooth["Bluetooth"].enabled,"NE","true","string")
)
Bluetooth State Is In "Discoverable" State Check

This expression is true if Bluetooth state is in "Discoverable" mode on the device.
(
  EVAL(endpoint.device.bluetooth["Bluetooth"].state,"EQ","discoverable","string")
)
Bluetooth State Is In "Hidden" State Check

This expression is true if Bluetooth state is in "Hidden" mode on the device.
(
  EVAL(endpoint.device.bluetooth["Bluetooth"].state,"EQ","hidden","string")
)

	Cisco Secure Desktop Configuration Guide for Cisco ASA 5500 Series Administrators, Release 3.5
	Using Match Criteria to Configure Dynamic Access Policies
Cisco Secure Desktop Configuration Guide for Cisco ASA 5500 Series Administrators, Release 3.5 About this Guide Introduction Installing and Enabling CSD Configuring Host Scan Tutorial: Assigning Prelogin Criteria to Policies Details: Assigning Prelogin Criteria to Policies Assigning Secure Desktop, Cache Cleaner, and Detection Settings to Policies Using Match Criteria to Configure Dynamic Access Policies Customizing User Banners and Backgrounds Configuring the Logging Level CSD File Reference	Download this chapter Using Match Criteria to Configure Dynamic Access Policies Download the complete book Cisco Secure Desktop Configuration Guide for ASA 5500 Series Administrators, Release 3.5 (PDF - 1 MB) Feedback Table Of Contents Using Match Criteria to Configure Dynamic Access Policies Configuring Dynamic Access Policies Specifying Windows 7 in a Dynamic Access Policy Lua Expressions for Mobile Device Posture Assessment Device Operating System Checks Device Architecture Checks Device Lock Status Device Lock Disabled Device Lock Enabled Device Lock Active Device Lock Is Not Active Device Lock Timeout Too Large Device Lock Timeout Too Small Device Lock Age Too Large Device Lock Age Too Small Device Lock Complexity Numeric Device Lock Complexity Strong Secondary Storage Status Secondary Storage Encryption Exists Secondary Storage Encryption Disabled Secondary Storage Encryption Enabled Password Checks Password Length Too Small Password Length Too Large Password Strength Weak Password Strength Strong Password Strength Strong/Weak SIM Policy SIM Locking Ability SIM Locking Ability Is Enabled SIM Locking Ability Is Not Enabled SIM Lock Is Active SIM Lock Is Not Active GPS Hardware and Location Checks GPS Hardware Exists GPS Hardware Does Not Exist GPS Hardware Is Enabled GPS Hardware Is Disabled GPS Latitude Check GPS Longitude Check Application Checks Application Installed Check Application Is Not Installed Check Bluetooth® Hardware and Status Checks Bluetooth Hardware Exists Check Bluetooth Hardware Does Not Exist Check Bluetooth Is Enabled Check Bluetooth Is Not Enabled Check Bluetooth State Is In "Discoverable" State Check Bluetooth State Is In "Hidden" State Check Using Match Criteria to Configure Dynamic Access Policies You can match Host Scan results, prelogin policies, basic Host Scan entries, or any combination of these criteria with any other policy attributes you specify to grant access rights to users dynamically. To learn more about Lua expressions in Dynamic Access Policies, see the section on "Configuring Dynamic Access Policies" in Cisco Security Appliance Configuration Guide Using ASDM. Configuring Dynamic Access Policies Step 1 Choose Configuration > Remote Access VPN > Network (Client) Access or Clientless SSL VPN Access > Dynamic Access Policies > Add or Edit. The Add or Edit Dynamic Policy window opens (Figure 7-1). Figure 7-1 Add Dynamic Access Policy Step 2 Use the Policy Name field at the top of the window to name the DAP. Step 3 Select the ANY, ALL, or NONE option in the drop-down list on the left side of the Selection Criteria area. Step 4 Click the Add button on the left to specify AAA attribute type and values, then click OK. Repeat for each AAA attribute to use for this DAP. Step 5 Move the mouse to the right of the Endpoint Attribute table and click Add. The Add Endpoint Attribute window opens (Figure 7-2). Figure 7-2 Add Endpoint Attribute Note If the Endpoint Assessment or Advanced Endpoint Assessment option on the Secure Desktop Manager > Host Scan pane is checked and you select Antispyware, Antivirus, or Personal Firewall, ASDM populates the Vendor ID and Vendor Description drop-down menus. Otherwise, it shows blank fields next to the Vendor ID and Vendor Description attribute names. Step 6 Select one of the following values next to Endpoint Attribute Type: •Antispyware (active only if you checked a Host Scan extension in the Host Scan pane) •Antivirus (active only if you checked a Host Scan extension in the Host Scan pane) •Application allows you to match the VPN application in use. •File specified in the Basic Host Scan table in the Secure Desktop Manager > Host Scan pane. •Device to specify any of the following: host name, MAC address, port number, privacy protection for Cache Cleaner or Secure Desktop, version of CSD, and version of the Endpoint Assessment. •NAC allows you to match the posture status as defined by your AAA server. •Operating System allows you to match the operating system version, service pack, and hot fix version. •Personal Firewall (active only if you checked a Host Scan extension in the Host Scan pane) •Policy allows you to match existing prelogin policies defined in ASDM. •Process specified in the Basic Host Scan table in the Secure Desktop Manager > Host Scan pane •Registry (key) specified in the Basic Host Scan table in the Secure Desktop Manager > Host Scan pane The Add Endpoint Attribute window displays the attributes and options associated with the Endpoint Attribute Value you select. Step 7 Select the value of the endpoint attribute type and configure any match criteria associated with that value that you want to require. Step 8 Click OK. The Add or Edit Endpoint Attribute window closes, leaving the Add or Edit Dynamic Policy window open. Step 9 Complete the configuration of any other endpoint attributes to specify any other criteria you want to use to identify the remote access devices for which the DAP applies. Step 10 Click Continue or Terminate in the Action tab to specify whether to assign the attributes of this policy to sessions that match its criteria or terminate those sessions. Step 11 (Optional) Enter a text message in the User Message box. See the online help for details. Step 12 Set the attribute values in the tabs at the bottom of the Add Dynamic Access Policy window to configure access rights and restrictions as described in the online help, and click OK. Specifying Windows 7 in a Dynamic Access Policy You can test for Windows 7 in a dynamic access policy, either through the ASDM GUI or by using a Lua expression. •Specifying Windows 7 as an Endpoint Attribute in the ASDM GUI You will be able to specify Windows 7 as an endpoint attribute, using the ASDM GUI, if you are using ASDM version 6.2.(5) on an ASA running ASA version 8.2.2 or earlier. Figure 7-3 Windows 7 specified as an endpoint attribute using ASDM GUI •Specifying Windows 7 as an Operating System Attribute Using a Lua expression If you are running a version of ASDM which is earlier that 6.2(5), on your ASA, you can still use a DAP to check for the Windows 7 OS but you will need to do this using a Lua expression. This Lua expression is true if the operating system on the endpoint is Windows 7. (EVAL(endpoint.os.version,"EQ","Windows 7","string")) Figure 7-4 Windows 7 specified in a Lua expression Lua Expressions for Mobile Device Posture Assessment Use Dynamic Access Policies (DAPs) to gather posture information from Windows mobile devices. DAPs are written in the Lua language and are most easily configured using the ASDM interface for the ASA. See the Configuring Dynamic Access Policies chapter of the Cisco Security Appliance Configuration Guide Using ASDM to learn more about configuring DAP. This section provides many examples of Lua expressions you can use to write DAPs to gather mobile device posture information. •Device Operating System Checks •Device Architecture Checks •Device Lock Status •Secondary Storage Status •Password Checks •SIM Policy •GPS Hardware and Location Checks •Application Checks •Bluetooth® Hardware and Status Checks All these test cases require CSD 3.5. Advanced DAP LUA scripts are required below until ASDM DAP GUI can include this capability. Device Operating System Checks This expression is true if the mobile device is running Windows Mobile 5, 6, 6.1, 6.1.4, or 6.5 operating system. ( EVAL(endpoint.os.version, "EQ", "Windows Mobile 5", "string") or EVAL(endpoint.os.version, "EQ", "Windows Mobile 6", "string") or EVAL(endpoint.os.version, "EQ", "Windows Mobile 6.1", "string") or EVAL(endpoint.os.version, "EQ", "Windows Mobile 6.1.4", "string") or EVAL(endpoint.os.version, "EQ", "Windows Mobile 6.5", "string") ) Device Architecture Checks These expressions check to see what architecture the endpoint is running. Possible values for a desktop: "x64", "x86", "ia64", "ppc" and "unknown". Possible values for Windows Mobile are: "arm" and "unknown". If the mobile device has one of these architectures, the expression is true. ( EVAL(endpoint.os.architecture,"EQ","arm","string") or EVAL(endpoint.os.architecture,"EQ","x86","string") or EVAL(endpoint.os.architecture,"EQ","x64","string") or EVAL(endpoint.os.architecture,"EQ","ia64","string") or EVAL(endpoint.os.architecture,"EQ","ppc","string") or EVAL(endpoint.os.architecture,"EQ","unknown","string") ) Device Lock Status These are Lua expressions that evaluate device lock status: •Device Lock Disabled •Device Lock Enabled •Device Lock Active •Device Lock Is Not Active •Device Lock Timeout Too Large •Device Lock Timeout Too Small •Device Lock Age Too Large •Device Lock Age Too Small •Device Lock Complexity Numeric •Device Lock Complexity Strong Device Lock Disabled This expression is true if the device lock feature is disabled on the device. ( EVAL(endpoint.device.devicelock["DeviceLock"].enabled,"EQ","false","string") ) Device Lock Enabled This expression is true if the device lock feature is enabled on the device. ( EVAL(endpoint.device.devicelock["DeviceLock"].enabled,"EQ","true","string") ) Device Lock Active This expression is true if the device is locked. ( EVAL(endpoint.device.devicelock["DeviceLock"].active,"EQ","true","string") ) Device Lock Is Not Active This expression is true if the device is unlocked. ( EVAL(endpoint.device.devicelock["DeviceLock"].active,"EQ","false","string") ) Device Lock Timeout Too Large The device lock timeout is the interval, in minutes, after which the device auto-locks itself. This expression is true if the device lock timeout is greater than ten minutes. ( EVAL(endpoint.device.devicelock["DeviceLock"].timeoutmins,"GT","10","integer") ) Device Lock Timeout Too Small The device lock timeout is the interval, in minutes, after which the device auto-locks itself. This expression is true if the device lock timeout is less than ten minutes. ( EVAL(endpoint.device.devicelock["DeviceLock"].timeoutmins,"LT","10","integer") ) Device Lock Age Too Large The device lock age is the interval, in seconds, since the last device PIN change occurred. This expression is true if the device lock age is greater than 432000 seconds (5 days). ( EVAL(endpoint.device.devicelock["DeviceLock"].age,"GT","432000","integer") ) Device Lock Age Too Small The device lock age is the interval, in seconds, since the last device PIN change occurred. This expression is true if the device lock age is less than 432000 seconds (5 days). ( EVAL(endpoint.device.devicelock["DeviceLock"].age,"LT","432000","integer") ) Device Lock Complexity Numeric A simple PIN is a password that uses only numbers and is at least four digits long. This expression is true if the device has a password that is at least four digits long and made up of numbers only. ( EVAL(endpoint.device.devicelock["DeviceLock"].complexity,"EQ","numeric","string")) ) Device Lock Complexity Strong A strong PIN is an alphanumeric password; it can have uppercase and lowercase letters, numbers, and symbols. This expression is true if the device has a password that is made up of lowercase letters, numbers, and symbols. ( EVAL(endpoint.device.devicelock["DeviceLock"].complexity,"EQ","strong","string")) ) Secondary Storage Status These are Lua expressions that evaluate secondary storage status: •Secondary Storage Encryption Exists •Secondary Storage Encryption Disabled •Secondary Storage Encryption Enabled Secondary Storage Encryption Exists This expression is true if the device can encrypt a secondary storage card. ( EVAL(endpoint.device.autoencryption["Auto-encryption"].exists,"EQ","true","string") ) Secondary Storage Encryption Disabled This expression is true if encryption on the secondary storage card is disabled. ( EVAL(endpoint.device.autoencryption["Auto-encryption"].enabled,"EQ","false","string") ) Secondary Storage Encryption Enabled This expression is true if the encryption on the secondary storage card is enabled. ( EVAL(endpoint.device.autoencryption["Auto-encryption"].enabled,"EQ","true","string") ) Password Checks These are Lua expressions that evaluate password characteristics: •Password Length Too Small •Password Length Too Large •Password Strength Weak •Password Strength Strong •Password Strength Strong/Weak Password Length Too Small This expression is true if the device password is less than 4 characters. ( EVAL(endpoint.device.devicelock["DeviceLock"].policylength,"LT","4","integer") ) Password Length Too Large This expression is true if the device password is greater than 4 characters ( EVAL(endpoint.device.devicelock["DeviceLock"].policylength,"GT","4","integer") ) Password Strength Weak This expression is true if the password strength is weak as defined by the exchange server. ( EVAL(endpoint.device.devicelock["DeviceLock"].policycomplexity,"EQ","numeric","string") ) Password Strength Strong This expression is true if the password strength is strong as defined by the exchange server. ( EVAL(endpoint.device.devicelock["DeviceLock"].policycomplexity,"EQ","strong","string") ) Password Strength Strong/Weak Normally set by exchange server. ( EVAL(endpoint.device.devicelock["DeviceLock"].policycomplexity,"EQ","alphanumeric", "string") ) SIM Policy These are Lua expressions that evalute SIM card characteristics: •SIM Locking Ability •SIM Locking Ability Is Enabled •SIM Locking Ability Is Not Enabled •SIM Lock Is Active •SIM Lock Is Not Active SIM Locking Ability This expression is true if the device has the ability to lock the SIM. ( EVAL(endpoint.device.simpinlock["SIM"].exists,"EQ","true","string") ) SIM Locking Ability Is Enabled This expression is true if the SIM card has a PIN. ( EVAL(endpoint.device.simpinlock["SIM"].enabled,"EQ","true","string") ) SIM Locking Ability Is Not Enabled This expression is true if the SIM card does not have a PIN. ( EVAL(endpoint.device.simpinlock["SIM"].enabled,"EQ","false","string") ) SIM Lock Is Active This expression is true if the SIM card is in a locked state. ( EVAL(endpoint.device.simpinlock["SIM"].active,"EQ","true","string") ) SIM Lock Is Not Active This expression is true if the SIM card is not in a locked state. ( EVAL(endpoint.device.simpinlock["SIM"].active,"EQ","false","string") ) GPS Hardware and Location Checks Host Scan does not wait for the GPS device to activate in order to retrieve location information. It reports the latest GPS location if the GPS device is active and has a GPS fix. If the GPS hardware is off, hostscan does not switch it on. It uses the cached location information at the timestamp noted. If the mobile device has erased or invalidated latitude and longitude information, it will not be reported to hostscan. These are Lua expressiosn that evaluate mobile device location: •GPS Hardware Exists •GPS Hardware Does Not Exist •GPS Hardware Is Enabled •GPS Hardware Is Disabled •GPS Latitude Check •GPS Longitude Check GPS Hardware Exists This expression is true if GPS hardware exists on the device. ( EVAL(endpoint.device.gps["GPS"].exists,"EQ","true","string") ) GPS Hardware Does Not Exist This expression is true if GPS hardware does not exist on the device. ( EVAL(endpoint.device.gps["GPS"].exists,"EQ","false","string") ) GPS Hardware Is Enabled This expression is true if GPS hardware is enabled on the device. ( EVAL(endpoint.device.gps["GPS"].enabled,"EQ","true","string") ) GPS Hardware Is Disabled This expression is true if GPS hardware is disabled on the device. ( EVAL(endpoint.device.gps["GPS"].state,"EQ","off","string") ) GPS Latitude Check The GPS must have a satellite fix in order for Host Scan to return the latitude. This expression is true if the device's latitude is greater than 40 degrees north and less than 45 degrees north. ( EVAL(endpoint.device.gps["GPS"].latitude,"GT","40.0","integer")and EVAL(endpoint.device.gps["GPS"].latitude,"LT","45.0","integer") ) GPS Longitude Check The GPS must have a satellite fix in order for Host Scan to return the longitude. This expression is true if the device's longitude is less than 75 degrees west longitude and greater than 70 degrees west longitude. ( EVAL(endpoint.device.gps["GPS"].longitude,"LT","-70.0","integer")and EVAL(endpoint.device.gps["GPS"].longitude,"GT","-75.0","integer") ) Application Checks These Lua expressiosn evaluate applications installed on the mobile device: •Application Installed Check •Application Is Not Installed Check Application Installed Check This expression is true if a specific application, Cisco AnyConnect Mobile VPN Client, is installed on the device. ( EVAL(endpoint.device.application["Cisco AnyConnect Mobile VPN Client"]."EQ","true") ) Application Is Not Installed Check This expression is true if a specific application, Bad Application, is not installed on the device. ( EVAL(endpoint.device.application["Bad Application"],"NE","true") ) Bluetooth® Hardware and Status Checks These Lua expressions evaluate Bluetooth hardware status: •Bluetooth Hardware Exists Check •Bluetooth Hardware Does Not Exist Check •Bluetooth Is Enabled Check •Bluetooth Is Not Enabled Check •Bluetooth State Is In "Discoverable" State Check •Bluetooth State Is In "Hidden" State Check Bluetooth Hardware Exists Check This expression is true if Bluetooth hardware exists on the device. ( EVAL(endpoint.device.bluetooth["Bluetooth"].exists,"EQ","true","string") ) Bluetooth Hardware Does Not Exist Check This expression is true if Bluetooth hardware does not exist on the device. ( EVAL(endpoint.device.bluetooth["Bluetooth"].exists,"NE","true","string") ) Bluetooth Is Enabled Check This expression is true if Bluetooth is enabled on the device. ( EVAL(endpoint.device.bluetooth["Bluetooth"].enabled,"EQ","true","string") ) Bluetooth Is Not Enabled Check This expression is true if Bluetooth is disabled on the device. ( EVAL(endpoint.device.bluetooth["Bluetooth"].enabled,"NE","true","string") ) Bluetooth State Is In "Discoverable" State Check This expression is true if Bluetooth state is in "Discoverable" mode on the device. ( EVAL(endpoint.device.bluetooth["Bluetooth"].state,"EQ","discoverable","string") ) Bluetooth State Is In "Hidden" State Check This expression is true if Bluetooth state is in "Hidden" mode on the device. ( EVAL(endpoint.device.bluetooth["Bluetooth"].state,"EQ","hidden","string") )
	Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks