How does Cisco ASA conduct the order of processing? A competitor box runs all the rules in a logical order (“IF/Then” “stop/next”). Does the Cisco ASA WebVPN DAP process policies and have no stop rule ability? I’m curious if the ASA processes policies? Does it hit the first DAP and move onto the next DAP, or is there a way to issue a "stop", and then process the next DAP(s)?
ASA processes all DAP policies for every single connection. The end result is a combination of all the DAP policies selected. So if the Action is to assign a filter for 2 DAP policy that the user hits, the ASA combines the filter lines into 1 and assigns it to the user. IF the Action is deny connection in any one of the DAP policies hit, then the user is denied connection. The ASA does not stop processing DAP if it matches a condition. If it does not match any of the DAP policies, it takes the action in the Default DAP policy.
Thank you for your answer. So, with the below scenario, it seems since the ASA process all DAP policies, then Rule 3 would break Rule 2...correct?
user = ('BP*' or 'NON*' OR 'bp*' OR 'non*') gets one training bookmark regardless of background flag. Basically, you just need a valid RSA token.
userAttr.backgroundcheck = 'no' AND userAttr.ou = 'buspartner' stop rule
userAttr.backgroundcheck = 'no' AND userAttr.ou = 'contractor' stop rule
userAttr.backgroundcheck = 'no' AND userAttr.ou = 'JV' stop rule
username is "*" Everyone gets directory service pages
Without a stop rule ability, would the Rule 3 break Rule 2 and give everyone the directory service pages? Or, would you be able to keep the integrity of Rule 2 and not allow these users access by giving the DAP policy higher priority?
If I recall correctly, then the user would get both bookmarks from Rule 2 AND Rule 3. If Rule 3 is the default rule (Default DAP policy), then it won't be hit unless none of the above rules match.
This guide should explain the DAP aggregation bit in detail: