65-23
Cisco ASA 5500 Series Configuration Guide using ASDM
OL-20339-01
Chapter 65 Configuring Dynamic Access Policies
Understanding VPN Access Policies
Note If you must use Advanced mode, we recommend that you use EVAL expressions whenever possible for
reasons of clarity, which makes verifying the program straightforward.
EVAL(<attribute> , <comparison>, {<value> | <attribute>}, [<type>])
Example:
EVAL(endpoint.os.version, “EQ”, “Windows XP”, “string”)
Constructing DAP EVAL Expressions
Study these examples for help in creating logical expressions in Lua.
• This endpoint expression tests for a match on CLIENTLESS OR CVC client types:
(EVAL(endpoint.application.clienttype,”EQ”,"CLIENTLESS") or
EVAL(endpoint.application.clienttype, “EQ”,"CVC"))
• This endpoint expression tests for Norton Antivirus versions 10.x but excludes 10.5.x:
(EVAL(endpoint.av[“NortonAV”].version, “GE”, "10",”version”) and
(EVAL(endpoint.av[“NortonAV”].version,”LT”, "10.5", “version”) or
EVAL(endpoint.av[“NortonAV”].version, “GE”, "10.6", “version”)))
<attribute> AAA attribute or an attribute returned from Cisco Secure Desktop, see
Table 65-1 and Table 65-3 for attribute definitions
<comparison> One of the following strings (quotation marks required)
“EQ” equal
“NE” not equal
“LT” less than
“GT” greater than
“LE” less than or equal
“GE” greater than or equal
<value> A string in quotation marks that contains the value to compare the attribute
against
<type> One of the following strings (quotation marks required)
“string” case-sensitive string comparison
“caseless” case-insensitive string comparison
“integer” number comparison, converts string values to numbers
“hex” number comparison using hexadecimal values, converts hex
string to hex numbers
“version” compares versions of the form X.Y.Z. where X, Y, and Z are
numbers