32-13
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter32 Managing Remote Access VPNs on IOS and PIX 6.3 Devices
Configuring User Group Policies
Configuring User Group Policies
Use the User Groups (IOS/PIX 6.x) policy to specify user groups for your remote access IPSec VPN
server. You can configure user groups on a Cisco IOS router, PIX 6.3 Firewall, or Catalyst 6500 /7600
device.
When you configure a remote access VPN server, you must create user groups to which remote clients
will belong. A user group policy specifies the attributes that determine user access to and use of the VPN.
User groups simplify system management, enabling you to quickly configure VPN access for large
numbers of users.
For example, in a typical remote access VPN, you might allow a finance group to access one part of a
private network, a customer support group to access another part, and an MIS group to access other parts.
In addition, you might allow specific users within MIS to access systems that other MIS users cannot
access. User group policies provide the flexibility to do so securely.
Remote clients must have the same group name as the user group configured on the VPN server so that
they can connect to the device; otherwise, a connection cannot be established. When a remote client
establishes a connection to the VPN server, the group policies for that user group are pushed to all clients
belonging to the same user group. You can configure user groups on the local remote access VPN server
and external AAA servers.
Notes
You can also specify user groups using the Remote Access VPN Configuration Wizard. For more
information, see Using the Remote Access VPN Configuration Wizard, page29-13.
To specify group policies for an SSL VPN on an IOS device, use the SSL VPN policy as explained
in Configuring an SSL VPN Policy (IOS), page 32-14.
Related Topics
Understanding Remote Access IPSec VPNs, page 29-2
Step 1 Do one of the following:
(Device view) With an IOS router, Catalyst 6500/7600, or PIX 6.3 device selected, select Remote
Access VPN > IPSec VPN > User Groups (IOS/PIX 6.x) from the Policy selector.
(Policy view) Select Remote Access VPN > IPSec VPN > User Groups (IOS/PIX6.x) from the
Policy Type selector. Select an existing policy or create a new one.
The User Groups page opens.
The page contains two lists: Available User Groups lists all existing User Group policy objects that are
configured for remote access IPsec VPNS; Selected User Groups lists all of the User Group policy
objects that will be configured on the device.
Step 2 Ensure that the list of selected user groups contains the desired User Group policy objects:
To create a new User Group policy object, click the Create (+) button beneath the available user
groups list to open the Add User Group dialog box. For instructions on creating the object, see Add
or Edit User Group Dialog Box, page 33-58.
After you create the group, it is added to the available list, and you must add it to the selected list if
you want to use it.
To add a User Group to the selected list, select it in the available list and click >>.
To remove a User Group, select it in the selected list and click <<. If the group is already configured
on the device, it will be removed during the next deployment.