Cisco ASA 5505 Configuration Manual page 1734

Understanding Policy Enforcement of Permissions and Attributes
Understanding Policy Enforcement of Permissions and
Attributes
The adaptive security appliance supports several methods of applying user authorization attributes (also
called user entitlements or permissions) to VPN connections. You can configure the adaptive security
appliance to obtain user attributes from a Dynamic Access Policy (DAP) on the adaptive security
appliance, from an external authentication and/or authorization AAA server (RADIUS or LDAP), from
a group policy on the security appliance, or from all three.
If the security appliance receives attributes from all sources, the attributes are evaluated, merged, and
applied to the user policy. If there are conflicts between attributes coming from the DAP, the AAA server,
or the group policy, those attributes obtained from the DAP always take precedence.
The security appliance applies attributes in the following order (also illustrated in
1.
2.
3.
4.
5.
Cisco ASA 5500 Series Configuration Guide using ASDM
B-2
DAP attributes on the adaptive security appliance—Introduced in Version 8.0, take precedence over
all others. If you set a bookmark/URL list in DAP, it overrides a bookmark/URL list set in the group
policy.
User attributes on the AAA server—The server returns these after successful user authentication
and/or authorization. Do not confuse these with attributes that are set for individual users in the local
AAA database on the adaptive security appliance (User Accounts in ASDM).
Group policy configured on the adaptive security appliance—If a RADIUS server returns the value
of the RADIUS CLASS attribute IETF-Class-25 (OU=<group-policy>) for the user, the adaptive
security appliance places the user in the group policy of the same name and enforces any attributes
in the group policy that are not returned by the server.
For LDAP servers, any attribute name can be used to set the group policy for the session. The LDAP
attribute map you configure on the adaptive security appliance maps the LDAP attribute to the Cisco
attribute IETF-Radius-Class.
Group policy assigned by the Connection Profile (called tunnel-group in CLI)—The Connection
Profile has the preliminary settings for the connection, and includes a default group policy applied
to the user before authentication. All users connecting to the adaptive security appliance initially
belong to this group which provides any attributes that are missing from the DAP, user attributes
returned by the server, or the group policy assigned to the user.
Default group policy assigned by the adaptive security appliance (DfltGrpPolicy)—System default
attributes provide any values that are missing from the DAP, user attributes, group policy, or
connection profile.
Appendix B Configuring an External Server for Authorization and Authentication
Figure B-1:
OL-20339-01