65-28
Cisco ASA 5500 Series Configuration Guide using ASDM
OL-20339-01
Chapter 65 Configuring Dynamic Access Policies
Understanding VPN Access Policies
end
end
return false
end
return (check(endpoint.av) or check(endpoint.fw) or check(endpoint.as))
end)()
CheckAndMsg with Custom Function Example
You can use the following function to deny access in the absence of an antivirus program. Use it with a
DAP that has Action set to terminate.
assert( function()
for k,v in pairs(endpoint.av) do
if (EVAL(v.exists, "EQ”, "true", "string")) then
return false
end
end
return CheckAndMsg(true, "Please install antivirus software before connecting.", nil)
end)()
If a user lacking an antivirus program attempts to log in, DAP displays the following message:
Please install antivirus software before connecting.
Further Information on Lua
You can find detailed LUA programming information at http://www.lua.org/manual/5.1/manual.html.
Operator for Endpoint Category
You can configure multiple instances of each type of endpoint. In this pane, set each type of endpoint to
require only one instance of a type (Match Any = OR) or to have all instances of a type (Match All =
AND).
• If you configure only one instance of an endpoint category, you do not need to set a value.
• For some endpoint attributes, it makes no sense to configure multiple instances. For example, no
users have more than one running OS.
• You are configuring the Match Any/Match All operation within each endpoint type.
The security appliance evaluates each type of endpoint attribute, and then performs a logical AND
operation on all of the configured endpoints. That is, each user must satisfy the conditions of ALL of the
endpoints you configure, as well as the AAA attributes.
DAP Examples
The following sections provide examples of useful dynamic access policies.
• Using DAP to Define Network Resources
• Using DAP to Apply a WebVPN ACL
• Enforcing CSD Checks and Applying Policies via DAP
To Next Page
Loading...
Need help?
General
