About Dynamic Access Policies
VPN gateways operate in dynamic environments. Multiple variables can affect each VPN connection, for example, intranet configurations that frequently change, the various roles each user may inhabit within an organization, and logins from remote access sites with different configurations and levels of security. The task of authorizing users is much more complicated in a VPN environment than it is in a network with a static configuration.
Dynamic access policies (DAP) on the ASA let you configure authorization that addresses these many variables. You create a dynamic access policy by setting a collection of access control attributes that you associate with a specific user tunnel or session. These attributes address issues of multiple group membership and endpoint security. That is, the ASA grants access to a particular user for a particular session based on the policies you define. The ASA generates a DAP at the time the user connects by selecting and/or aggregating attributes from one or more DAP records. It selects these DAP records based on the endpoint security information of the remote device and the AAA authorization information for the authenticated user. It then applies the DAP record to the user tunnel or session.
DAP is not supported in multiple-context mode.
The DAP system includes the following components that require your attention:
-
DAP Selection Configuration File—A text file containing criteria that the ASA uses for selecting and applying DAP records during session establishment. Stored on the ASA. You can use ASDM to modify it and upload it to the ASA in XML data format. DAP selection configuration files include all of the attributes that you configure. These can include AAA attributes, endpoint attributes, and access policies as configured in network and web-type ACL filter, port forwarding and URL lists.
-
DfltAccess Policy—Always the last entry in the DAP summary table, always with a priority of 0. You can configure Access Policy attributes for the default access policy, but it does not contain—and you cannot configure—AAA or endpoint attributes. You cannot delete the DfltAccessPolicy, and it must be the last entry in the summary table.
Refer to the Dynamic Access Deployment Guide (https://supportforums.cisco.com/docs/DOC-1369) for additional information.
DAP Support of Remote Access Protocols and Posture Assessment Tools
The ASA obtains endpoint security attributes by using posture assessment tools that you configure. These posture assessment tools include the AnyConnect posture module, the independent Host Scan package, and NAC.
The following table identifies each of the remote access protocols DAP supports, the posture assessment tools available for that method, and the information that tool provides.
Supported Remote Access Protocol |
AnyConnect Posture Module Host Scan package Cisco Secure Desktop (without Endpoint Assessment Host Scan Extension enabled) |
AnyConnect Posture Module Host Scan package Cisco Secure Desktop (with Endpoint Assessment Host Scan Extension enabled) |
NAC |
Cisco NAC Appliance |
---|---|---|---|---|
Returns file information, registry key values, running processes, operating system |
Returns antivirus, antispyware, and personal firewall software information |
Returns NAC status |
Returns VLAN Type and VLAN IDs |
|
IPsec VPN |
No |
No |
Yes |
Yes |
Cisco AnyConnect VPN |
Yes |
Yes |
Yes |
Yes |
Clientless (browser-based) SSL VPN |
Yes |
Yes |
No |
No |
PIX Cut-through Proxy (posture assessment not available) |
No |
No |
No |
No |
Remote Access Connection Sequence with DAPs
The following sequence outlines a typical remote access connection establishment.
-
A remote client attempts a VPN connection.
-
The ASA performs posture assessment, using configured NAC and Cisco Secure Desktop Host Scan values.
-
The ASA authenticates the user via AAA. The AAA server also returns authorization attributes for the user.
-
The ASA applies AAA authorization attributes to the session, and establishes the VPN tunnel.
-
The ASA selects DAP records based on the user AAA authorization information and the session posture assessment information.
-
The ASA aggregates DAP attributes from the selected DAP records, and they become the DAP policy.
-
The ASA applies the DAP policy to the session.