67-40
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter67 Configuring Connection Profiles, Group Policies, and Users
Group Policies
For example, the following command creates an external group policy named ExtGroup that gets its
attributes from an external RADIUS server named ExtRAD and specifies that the password to use when
retrieving the attributes is newpassword:
hostname(config)# group-policy ExtGroup external server-group ExtRAD password newpassword
hostname(config)#
Note You can configure several vendor-specific attributes (VSAs), as described in AppendixC, “Configuring
an External Server for Authorization and Authentication”. If a RADIUS server is configured to return
the Class attribute (#25), the ASA uses that attribute to authenticate the Group Name. On the RADIUS
server, the attribute must be formatted as: OU=groupname; where groupname is identical to the Group
Name configured on the ASA—for example, OU=Finance.
Configuring an Internal Group Policy
To configure an internal group policy, specify a name and type for the group policy:
hostname(config)# group-policy group_policy_name type
hostname(config)#
For example, the following command creates the internal group policy named GroupPolicy1:
hostname(config)# group-policy GroupPolicy1 internal
hostname(config)#
The default type is internal.
You can initialize the attributes of an internal group policy to the values of a preexisting group policy by
appending the keyword from and specifying the name of the existing policy:
hostname(config)# group-policy group_policy_name internal from group_policy_name
hostname(config-group-policy)#
hostname(config-group-policy)#
Configuring Group Policy Attributes
For internal group policies, you can specify particular attribute values. To begin, enter group-policy
attributes mode, by entering the group-policy attributes command in global configuration mode.
hostname(config)# group-policy name attributes
hostname(config-group-policy)#
The prompt changes to indicate the mode change. The group-policy-attributes mode lets you configure
attribute-value pairs for a specified group policy. In group-policy-attributes mode, explicitly configure
the attribute-value pairs that you do not want to inherit from the default group. The commands to do this
are described in the following sections.
Configuring WINS and DNS Servers
You can specify primary and secondary WINS servers and DNS servers. The default value in each case
is none. To specify these servers, do the following steps:
Step1 Specify the primary and secondary WINS servers:
hostname(config-group-policy)# wins-server value {ip_address [ip_address] | none}