Configuring group policies, Configuring an external group policy – Cisco ASA 5505 User Manual

67-39

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 67 Configuring Connection Profiles, Group Policies, and Users

Group Policies

unix-auth-uid 65534

unix-auth-gid 65534

file-entry enable

file-browsing enable

url-entry enable

deny-message value Login was successful, but because certain criteria

have not been met or due to some specific group policy, you do not have

permission to use any of the VPN features.

Contact your IT administrator for more information

smart-tunnel auto-signon disable

anyconnect ssl df-bit-ignore disable

anyconnect routing-filtering-ignore disable

smart-tunnel tunnel-policy tunnelall

always-on-vpn profile-setting

You can modify the default group policy, and you can also create one or more group policies specific to
your environment.

Configuring Group Policies

A group policy can apply to any kind of tunnel. In each case, if you do not explicitly define a parameter,
the group takes the value from the default group policy. To configure a group policy, follow the steps in
the subsequent sections.

Configuring an External Group Policy

External group policies take their attribute values from the external server that you specify. For an
external group policy, you must identify the AAA server group that the ASA can query for attributes and
specify the password to use when retrieving attributes from the external AAA server group. If you are
using an external authentication server, and if your external group-policy attributes exist in the same
RADIUS server as the users that you plan to authenticate, you have to make sure that there is no name
duplication between them.

Note

External group names on the ASA refer to user names on the RADIUS server. In other words, if you
configure external group X on the ASA, the RADIUS server sees the query as an authentication request
for user X. So external groups are really just user accounts on the RADIUS server that have special
meaning to the ASA. If your external group attributes exist in the same RADIUS server as the users that
you plan to authenticate, there must be no name duplication between them

The ASA supports user authorization on an external LDAP or RADIUS server. Before you configure the
ASA to use an external server, you must configure the server with the correct ASA authorization
attributes and, from a subset of these attributes, assign specific permissions to individual users. Follow
the instructions in

Appendix C, “Configuring an External Server for Authorization and Authentication”

to configure your external server.

To configure an external group policy, do the following steps specify a name and type for the group
policy, along with the server-group name and a password:

hostname(config)# group-policy group_policy_name type server-group server_group_name

password

server_password

hostname(config)#

Note

For an external group policy, RADIUS is the only supported AAA server type.