Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5018
Views
5
Helpful
3
Replies

ASA Group Policies

rrfield
Level 1
Level 1

‎11-06-2009 07:39 AM

I'm having a conceptual problem with ASA Group Policies, specifically relating to SSL VPN.

From what I can tell, all group policies inherit attributes from the Default Group Policy (DfltGrpPolicy). When creating a new Policy lets call this NewPolicy1, I can override the inherited properties. Fine, no problem. I am cool with assigning users to NewPolicy1 via RADIUS attribute 25.

Lets say DfltGrpPolicy has two bookmarks assigned to it, http://site1 and http://site2.

NewPolicy1 has two more bookmarks, http://newsite1 and http://newsite2.

Lets say User1 is assigned to NewPolicy1.

Is it possible for User1 to be presented links to all 4 bookmarks WITHOUT creating a bookmark list that is applied to NewPolicy1 that contains all 4 links?

Moving on, can I create a policy called NewPolicy1CHILD and have it inherit properties from NewPolicy1? Or are we stuck with two levels of policies, Default and an infinite number of child policies?

Thanks...

Labels:
0 Helpful
3 Replies 3

hdashnau
Cisco Employee
Cisco Employee

‎11-06-2009 09:23 AM

Group-policy priority inheritance goes in this order:

1. USER level: Values passed from authentication (ie your assigning group-pol from radius) or if you were using a local username on the ASA and had a group-pol assigned in the user-attributes

2. TUNNEL level: Value that is defined on the tunnel-group using the "default-group-policy" command

3. DEFAULT level: If an attribute is not assigned on the user level, nor the tunnel level, the values that are defined in the DfltGrpPolicy will be used

With group-policies alone, you can only have one value per attribute (ie only one bookmark list will ever be applied).

If you want to assign multiple bookmarks (from one or more "policies"), you should use Dynamic Access Policies (DAP) to accomplish this instead or in addition to your group-policy assignment. DAP concatinates attributes. So if you match two DAPs each with their own bookmark list, DAP would add them together and display one bookmark list with both sets or URLS combined. DAP can also work together with your group-policies. If you have a value set in DAP and the group-policy that cannot be concatenated then DAP will take precedence. For more information about DAP and how it add things together check this link:

http://www.cisco.com/en/US/products/ps6120/products_white_paper09186a00809fcf38.shtml

-heather

rrfield
Level 1
Level 1
In response to hdashnau

‎11-06-2009 10:32 AM

Great, that's what I want...I just wasn't looking in the right place.

Question, I don't see a place within DAP for Smart Tunnels, which I was hoping to utilize. Does anyone have an idea of when Smart Tunnels can be assigned with DAP?

0 Helpful

hdashnau
Cisco Employee
Cisco Employee
In response to rrfield

‎11-07-2009 05:49 AM

You can configure a bookmark list which has URLS setup to be smart tunneled, but the smart tunnel option to tunnel a process is not available in DAP yet.

There is an enhancement feature request to allow DAP to configure everything that you can configure on a group-policy level that would cover this request as well. You can track it with ID CSCsi54718

-heather

0 Helpful
Customers Also Viewed These Support Documents