This should present you with the ‘Add Endpoint Attribute’ window as shown below.Įndpoint attributes are any settings sent to the ASA about the state of the client. To do this, press the ‘Add’ button on the far right of the screen. There are a ton of options we can define but for now let’s just make a DAP that looks for the file we defined in host scan. You should be presented with the ‘Add Dynamic Access Policy’ window as shown below. Press the ‘Add’ button on the right side of the screen. Now let’s go back to the DAP window and define a new DAP. Ensure you press the ‘Apply All’ button at the bottom of the screen as well. Press ‘OK’ to add the file to basic host scan. In the ‘Add File Scan’ window let’s define a test scan searching for a file that we are sure the DAP will find. Under basic host scan select the ‘Add’ button and select ‘File Scan…’ as shown below. Now let’s try logging into our WebVPN portal to see what happens.Īs you can see we matched the default DAP and received the error message we defined. Then press OK to close the DAP window and then press apply in the ASDM window. Ensure that ‘Terminate’ is selected and enter a meaningful user message. Change the settings of the default DAP to look like the screen below. This is because you aren’t allowed to change which attributes match the default DAP. Editing the default DAP will look slightly different then editing DAPs you create. Select the Default DAP and select ‘Edit’ from the right-hand side of the screen. Let’s do a quick example of how the default DAP works. The DAP is enforced if no other DAPs are matched to the client configuration. Let’s take a look at the DAP screen in the ASDM.Īs mentioned above, there is a single DAP defined from the start. A default DAP (DfltAccessPolicy) is defined in the ASA which is enforced if the ASA can’t match the user to another DAP based on other criteria. The results of those scans are sent to the ASA and then evaluated during the user login process. As you might recall from part 2 of this series we can ask host scan to look for processes, files, and registry entries during the CSD load process. In regards to CSD, DAPs are evaluated at the time of logon. In this post we’ll walk through an example of how to define a basic host scan and use its results to determine access with dynamic access policies.ĭAPs (Dynamic Access policies) allow you to evaluate tons of different client settings and apply policy based upon the results. I’ve decided to merge parts 5 and 6 together since host scan results are used directly with dynamic access policies.
0 kommentar(er)
