David,
Under tunnel-group you can specify your default group policy for this tunnel, if you have a separate tunnel-group for your contractors and depending on settings like "tunnel-group-list" under webvpn global config.
bsns-asa5520-10(config)# tunnel-group TEST general-attributes
bsns-asa5520-10(config-tunnel-general)# %ASA-5-111008: User 'enable_15' executed the 'tunnel-group TEST general-attributes' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 0.0.0.0, executed 'tunnel-group TEST general-attributes'
defa
bsns-asa5520-10(config-tunnel-general)# default-group-policy ?
tunnel-group-general mode commands/options:
WORD < 65 char Name of the default group policy
You can also group-lock a group-policy to tunnel groups:
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/gh.html#wp1777576
or do it per user:
bsns-asa5520-10(config)# username cisco attributes
%ASA-5-111008: User 'enable_15' executed the 'username cisco attributes' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 0.0.0.0, executed 'username cisco attributes'
bsns-asa5520-10(config-username)# group-lock ?
username mode commands/options:
none Specify that there is no group-lock restriction
value Specify the name of an existing tunnel-group that the user is required
to connect with
Hope this helps :-)
Marcin