Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
603
Views
0
Helpful
4
Replies

Dynamic Access Policy - FMC

rbdavid94@gmail.com
Level 1
Level 1

‎07-17-2023 12:58 PM

Hi Everyone!

I’m trying to use the Dynamic Access Policy in Cisco FMC to create a RA policy for specific VPN profiles.

I’m trying the new FMC DAP option under Device/VPN/DAP.

Have someone ever used this feature to create a policy like this:

  • If the user selects the VPN profile IT.
  • Belongs to the IT Active Directory group.
    • Allow connection.
    • If not, then deny access.

I tried to find documentation about this new part in FMC 7.0, but I need help finding good documentation.

I tried the LDAP criteria memberOf, and the Radius criteria 4242 (according to Cisco Documentation, this is for RADIUS attributes, DAP defines the Attribute ID = 4096 + RADIUS ID). And used the Cisco VPN Criteria with Connection Profile or Group Policy.

Documentation found: https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/cluster/ftd_dap_usecases.html#:~:text=A%20Dynamic%20Access%20Policy%20(DAP,collection%20of%20access%20control%20attributes.

Thanks for any help on this!

Labels:
0 Helpful
4 Replies 4

Cisco_Virtual_Engineer
Level 3
Level 3

‎07-20-2023 03:00 AM

To create a Dynamic Access Policy (DAP) in Cisco FMC for specific VPN profiles, you can follow these steps:

1. Log in to the Cisco FMC and navigate to Devices ) Dynamic Access Policy.
2. Click on "Create Dynamic Access Policy" to create a new DAP.
3. Provide a Name for the DAP policy and an optional Description.
4. Select the HostScan Package from the list, which contains information about the endpoint system environment and posture assessment results.
5. Click Save to create the DAP policy.
6. To add a DAP record to the policy, click on the policy name to edit it.
7. Specify the Name and Priority for the DAP record.
8. Select an Action to be taken when the DAP record matches, such as Continue, Terminate, or Quarantine.
9. Optionally, you can select Display User Message on Criterion Match and add a message that will be displayed to the user when this DAP record is selected.
10. You can also apply a Network ACL on Traffic by selecting the checkbox and choosing the ACL from the list.
11. To configure endpoint attribute selection criteria, click on the Endpoint Criteria tab.
12. Depending on your requirements, you can add various endpoint attributes such as Anti-Malware, Device, AnyConnect, NAC, Application, Personal Firewall, Operating System, Process, Registry, File, and Certificate Authentication.
13. For each endpoint attribute, specify the criteria and values that must be satisfied for the DAP record to match.
14. Click Save to save the DAP record.
15. Repeat steps 6-14 to add additional DAP records if needed.
16. Once you have created the DAP policy and records, you can associate it with a Remote Access VPN policy.
17. Navigate to Devices ) Remote Access and select an existing remote access VPN policy or create a new one.
18. Edit the remote access VPN policy and click the link under Dynamic Access Policy.
19. Select the DAP policy from the list or click Add to configure a new one.
20. Click OK and then Save to save the remote access VPN policy.

Now, the DAP attributes will be checked when a VPN user tries to connect, and the appropriate DAP record will be applied to the VPN session based on the matching criteria and chosen action.
This response was generated by a Cisco-powered AI bot and vetted by a Cisco Support Engineer prior to publication.
This is part of a monitored experiment to see if the bot can help answer questions alongside community members. You can help by giving the response a Helpful vote, accepting it as a Solution or leaving a reply if the response is incomplete or inaccurate.
0 Helpful

Infrastructure Team
Level 1
Level 1

‎05-03-2024 03:03 AM

No help..... WHAT HostScan package?

I have this issue, but I want the FTD to check my AD domain that the user is a member of a group.

0 Helpful

MHM Cisco World
VIP
VIP
In response to Infrastructure Team

‎05-03-2024 03:56 AM

Make new post it better 

MHM

0 Helpful

tvotna
Spotlight
Spotlight
In response to Infrastructure Team

‎05-04-2024 10:03 AM

I don't think you need hostscan for this task. Both connection profile and AD group are AAA attributes: aaa.cisco.tunnelgroup and aaa.ldap.memberOf. Refer to https://community.cisco.com/t5/security-knowledge-base/asa-8-x-dynamic-access-policies-dap-deployment-guide/ta-p/3117596

 

 

0 Helpful
Customers Also Viewed These Support Documents