Cisco ASA Series Cli Configuration Manual page 1676

Group Policies
storage-key none
hidden-shares none
smart-tunnel disable
activex-relay enable
unix-auth-uid 65534
unix-auth-gid 65534
file-entry enable
file-browsing enable
url-entry enable
deny-message value Login was successful, but because certain criteria have not been met
or due to some specific group policy, you do not have permission to use any of the VPN
features. Contact your IT administrator for more information
smart-tunnel auto-signon disable
anyconnect ssl df-bit-ignore disable
anyconnect routing-filtering-ignore disable
smart-tunnel tunnel-policy tunnelall
always-on-vpn profile-setting
You can modify the default group policy, and you can also create one or more group policies specific to
your environment.
Configuring Group Policies
A group policy can apply to any kind of tunnel. In each case, if you do not explicitly define a parameter,
the group takes the value from the default group policy.
You can perform these configuration tasks in both single context mode or multiple-context mode:
Note
Multiple-context mode applies only to IKEv2 and IKEv1 site to site and does not apply to AnyConnect,
Clientless SSL VPN, legacy Cisco VPN client, the Apple native VPN client, the Microsoft native VPN
client, or cTCP for IKEv1 IPsec.
Configuring an External Group Policy
External group policies take their attribute values from the external server that you specify. For an
external group policy, you must identify the AAA server group that the ASA can query for attributes and
specify the password to use when retrieving attributes from the external AAA server group. If you are
using an external authentication server, and if your external group-policy attributes exist in the same
RADIUS server as the users that you plan to authenticate, you have to make sure that there is no name
duplication between them.
Note
External group names on the ASA refer to user names on the RADIUS server. In other words, if you
configure external group X on the ASA, the RADIUS server sees the query as an authentication request
for user X. So external groups are really just user accounts on the RADIUS server that have special
meaning to the ASA. If your external group attributes exist in the same RADIUS server as the users that
you plan to authenticate, there must be no name duplication between them.
The ASA supports user authorization on an external LDAP or RADIUS server. Before you configure the
ASA to use an external server, you must configure the server with the correct ASA authorization
attributes and, from a subset of these attributes, assign specific permissions to individual users. Follow
the instructions in
to configure your external server.
Cisco ASA Series CLI Configuration Guide
1-42
Chapter 1
Appendix C, "Configuring an External Server for Authorization and Authentication"
Configuring Connection Profiles, Group Policies, and Users