65-29
Cisco ASA 5500 Series Configuration Guide using ASDM
OL-20339-01
Chapter 65 Configuring Dynamic Access Policies
Understanding VPN Access Policies
Using DAP to Define Network Resources
This example shows how to configure dynamic access policies as a method of defining network
resources for a user or group. The DAP policy named Trusted_VPN_Access permits clientless and
AnyConnect VPN access. The policy named Untrusted_VPN_Access permits only clientless VPN
access. Table 65-4 summarizes the configuration of each of these policies.
The ASDM path is Configuration > Remote Access VPN > Clientless SSL VPN Access > Dynamic
Access Policies > Add/Edit Dynamic Access Policy > Endpoint
Using DAP to Apply a WebVPN ACL
DAP can directly enforce a subset of access policy attributes including Network ACLs (for IPsec and
AnyConnect), clientless SSL VPN Web-Type ACLs, URL lists, and Functions. It cannot directly
enforce, for example, a banner or the split tunnel list, which the group policy enforces. The Access
Policy Attributes tabs in the Add/Edit Dynamic Access Policy pane provide a complete menu of the
attributes DAP directly enforces.
Active Directory/LDAP stores user group policy membership as the “memberOf” attribute in the user
entry. You can define a DAP such that for a user in AD group (memberOf) = Engineering the adaptive
security appliance applies a configured Web-Type ACL. To accomplish this task, perform the following
steps:
Step 1 Navigate to the Add AAA attributes pane (Configuration > Remote Access VPN > Clientless SSL VPN
Access > Dynamic Access Policies > Add/Edit Dynamic Access Policy > AAA Attributes section > Add
AAA Attribute).
Step 2 For the AAA Attribute type, use the drop-down menu to choose LDAP.
Step 3 In the Attribute ID field, enter memberOf, exactly as you see it here. Case is important.
Step 4 In the Value field, use the drop-down menu to choose =, and in the adjacent field enter Engineering.
Step 5 In the Access Policy Attributes area of the pane, click the Web-Type ACL Filters tab.
Step 6 Use the Web-Type ACL drop-down menu to select the ACL you want to apply to users in the AD group
(memberOf) = Engineering.
Table 65-4 A Simple DAP Configuration for Network Resources
Attribute Trusted_VPN_Access Untrusted_VPN_Access
Endpoint Attribute Type Policy Trusted Untrusted
Endpoint Attribute Process ieexplore.exe —
Advanced Endpoint Assessment AntiVirus= McAfee Attribute
CSD Location Trusted Untrusted
LDAP memberOf Engineering, Managers Vendors
ACL Web-Type ACL
Access AnyConnect and Web Portal Web Portal
To Next Page
Loading...
