Filter
Top Products
31-36
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 31 Managing Dynamic Access Policies for Remote Access VPNs (ASA 8.0+ Devices)
Dynamic Access Page (ASA)
Logical Operations Tab
Use the Logical Operations tab of the Add/Edit Dynamic Access Policy dialog box to configure multiple
instances of the AAA and each type of endpoint attribute that you defined in the DAP Entry dialog box.
On this tab, set each type of endpoint or AAA attribute to require only one instance of a type (Match
Any = OR) or to have all instances of a type (Match All = AND).
• If you configure only one instance of an endpoint category, you do not need to set a value.
• For some endpoint attributes, it is not useful to configure multiple instances. For example, no users
have more than one running OS.
Type Select one of the following options and assign the associated values:
• Matches—Select if the mere presence of the named registry key on
the remote PC is sufficient to match the prelogin policy you are
configuring. For example, select this option if you want to require
the following registry key to be present to match a criterion for
assigning a prelogin policy:
HKEY_LOCAL_MACHINE\SOFTWARE\<Protective_Software
>
• Doesn’t Match—Select if the absence of the named registry key
from the remote PC is sufficient to match the prelogin policy you
are configuring. For example, select this option if you want to
require the following registry key to be absent to match a criterion
for assigning a prelogin policy:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curre
ntVersion\Run\<Evil_SpyWare>
Endpoint ID A string that identifies an endpoint for files, processes or registry
entries. Dynamic access policies use this ID to match Cisco Secure
Desktop host scan attributes for dynamic access policy selection. You
must configure Host Scan before you configure this attribute. When
you configure Host Scan, the configuration displays in this pane, so you
can select it, reducing the possibility of errors in typing or syntax.
Registry Name Select the text that describes the registry name from the list.
Value Select the value, dword or string, from the list, then select the
matching criteria (whether it equals or does not equal), and enter a
decimal or a string to compare with the dword or string value of the
registry key on the remote PC.
Note “DWORD” refers to the attribute in the Add/Edit Registry
Criterion dialog box. “Dword” refers to the attribute as it
appears in the registry key. Use the regedit application,
accessed on the Windows command line, to view the Dword
value of a registry key, or use it to add a Dword value to the
registry key to satisfy the requirement you are configuring.
Ignore Case When selected, ignores the case in the registry entry if it includes a
string.
Table 31-20 Add/Edit DAP Entry Dialog Box > Registry (Continued)
Element Description