Showing results for 
Search instead for 
Did you mean: 

Dynamic Access Policy - FMC

Hi Everyone!

I’m trying to use the Dynamic Access Policy in Cisco FMC to create a RA policy for specific VPN profiles.

I’m trying the new FMC DAP option under Device/VPN/DAP.

Have someone ever used this feature to create a policy like this:

  • If the user selects the VPN profile IT.
  • Belongs to the IT Active Directory group.
    • Allow connection.
    • If not, then deny access.

I tried to find documentation about this new part in FMC 7.0, but I need help finding good documentation.

I tried the LDAP criteria memberOf, and the Radius criteria 4242 (according to Cisco Documentation, this is for RADIUS attributes, DAP defines the Attribute ID = 4096 + RADIUS ID). And used the Cisco VPN Criteria with Connection Profile or Group Policy.

Documentation found:,collection%20of%20access%20control%20attributes.

Thanks for any help on this!

1 Reply 1

To create a Dynamic Access Policy (DAP) in Cisco FMC for specific VPN profiles, you can follow these steps:

1. Log in to the Cisco FMC and navigate to Devices ) Dynamic Access Policy.
2. Click on "Create Dynamic Access Policy" to create a new DAP.
3. Provide a Name for the DAP policy and an optional Description.
4. Select the HostScan Package from the list, which contains information about the endpoint system environment and posture assessment results.
5. Click Save to create the DAP policy.
6. To add a DAP record to the policy, click on the policy name to edit it.
7. Specify the Name and Priority for the DAP record.
8. Select an Action to be taken when the DAP record matches, such as Continue, Terminate, or Quarantine.
9. Optionally, you can select Display User Message on Criterion Match and add a message that will be displayed to the user when this DAP record is selected.
10. You can also apply a Network ACL on Traffic by selecting the checkbox and choosing the ACL from the list.
11. To configure endpoint attribute selection criteria, click on the Endpoint Criteria tab.
12. Depending on your requirements, you can add various endpoint attributes such as Anti-Malware, Device, AnyConnect, NAC, Application, Personal Firewall, Operating System, Process, Registry, File, and Certificate Authentication.
13. For each endpoint attribute, specify the criteria and values that must be satisfied for the DAP record to match.
14. Click Save to save the DAP record.
15. Repeat steps 6-14 to add additional DAP records if needed.
16. Once you have created the DAP policy and records, you can associate it with a Remote Access VPN policy.
17. Navigate to Devices ) Remote Access and select an existing remote access VPN policy or create a new one.
18. Edit the remote access VPN policy and click the link under Dynamic Access Policy.
19. Select the DAP policy from the list or click Add to configure a new one.
20. Click OK and then Save to save the remote access VPN policy.

Now, the DAP attributes will be checked when a VPN user tries to connect, and the appropriate DAP record will be applied to the VPN session based on the matching criteria and chosen action.

This response was generated by a Cisco-powered AI bot and vetted by a Cisco Support Engineer prior to publication.
This is part of a monitored experiment to see if the bot can help answer questions alongside community members. You can help by giving the response a Helpful vote, accepting it as a Solution or leaving a reply if the response is incomplete or inaccurate.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: