Cisco Systems ASA5515K9, ASA 5500 Configuring Group Policies

67-39

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter67 Configuring Connection Profiles, Group Policies, and Users

Group Policies

unix-auth-uid 65534

unix-auth-gid 65534

file-entry enable

file-browsing enable

url-entry enable

deny-message value Login was successful, but because certain criteria

have not been met or due to some specific group policy, you do not have

permission to use any of the VPN features.

Contact your IT administrator for more information

smart-tunnel auto-signon disable

anyconnect ssl df-bit-ignore disable

anyconnect routing-filtering-ignore disable

smart-tunnel tunnel-policy tunnelall

always-on-vpn profile-setting

You can modify the default group policy, and you can also create one or more group policies specific to

your environment.

Configuring Group Policies

A group policy can apply to any kind of tunnel. In each case, if you do not explicitly define a parameter,

the group takes the value from the default group policy. To configure a group policy, follow the steps in

the subsequent sections.

External group policies take their attribute values from the external server that you specify. For an

external group policy, you must identify the AAA server group that the ASA can query for attributes and

specify the password to use when retrieving attributes from the external AAA server group. If you are

using an external authentication server, and if your external group-policy attributes exist in the same

RADIUS server as the users that you plan to authenticate, you have to make sure that there is no name

duplication between them.

Note External group names on the ASA refer to user names on the RADIUS server. In other words, if you

configure external group X on the ASA, the RADIUS server sees the query as an authentication request

for user X. So external groups are really just user accounts on the RADIUS server that have special

meaning to the ASA. If your external group attributes exist in the same RADIUS server as the users that

you plan to authenticate, there must be no name duplication between them

The ASA supports user authorization on an external LDAP or RADIUS server. Before you configure the

ASA to use an external server, you must configure the server with the correct ASA authorization

attributes and, from a subset of these attributes, assign specific permissions to individual users. Follow

the instructions in AppendixC, “Configuring an External Server for Authorization and Authentication”

to configure your external server.

To configure an external group policy, do the following steps specify a name and type for the group

policy, along with the server-group name and a password:

hostname(config)# group-policy group_policy_name type server-group server_group_name

password server_password

hostname(config)#

Note For an external group policy, RADIUS is the only supported AAA server type.