1-42
Cisco ASA Series CLI Configuration Guide
 
Chapter 1      Configuring Connection Profiles, Group Policies, and Users
  Group Policies
  storage-key none
  hidden-shares none
  smart-tunnel disable
  activex-relay enable
  unix-auth-uid 65534
  unix-auth-gid 65534
  file-entry enable
  file-browsing enable
  url-entry enable
  deny-message value Login was successful, but because certain criteria have not been met 
or due to some specific group policy, you do not have permission to use any of the VPN 
features. Contact your IT administrator for more information
  smart-tunnel auto-signon disable
  anyconnect ssl df-bit-ignore disable
  anyconnect routing-filtering-ignore disable
  smart-tunnel tunnel-policy tunnelall
  always-on-vpn profile-setting
You can modify the default group policy, and you can also create one or more group policies specific to 
your environment. 
Configuring Group Policies
A group policy can apply to any kind of tunnel. In each case, if you do not explicitly define a parameter, 
the group takes the value from the default group policy. 
You can perform these configuration tasks in both single context mode or multiple-context mode:
Note Multiple-context mode applies only to IKEv2 and IKEv1 site to site and does not apply to AnyConnect, 
Clientless SSL VPN, legacy Cisco VPN client, the Apple native VPN client, the Microsoft native VPN 
client, or cTCP for IKEv1 IPsec.
Configuring an External Group Policy
External group policies take their attribute values from the external server that you specify. For an 
external group policy, you must identify the AAA server group that the ASA can query for attributes and 
specify the password to use when retrieving attributes from the external AAA server group. If you are 
using an external authentication server, and if your external group-policy attributes exist in the same 
RADIUS server as the users that you plan to authenticate, you have to make sure that there is no name 
duplication between them.
Note External group names on the ASA refer to user names on the RADIUS server. In other words, if you 
configure external group X on the ASA, the RADIUS server sees the query as an authentication request 
for user X. So external groups are really just user accounts on the RADIUS server that have special 
meaning to the ASA. If your external group attributes exist in the same RADIUS server as the users that 
you plan to authenticate, there must be no name duplication between them.
The ASA supports user authorization on an external LDAP or RADIUS server. Before you configure the 
ASA to use an external server, you must configure the server with the correct ASA authorization 
attributes and, from a subset of these attributes, assign specific permissions to individual users. Follow 
the instructions in Appendix C, “Configuring an External Server for Authorization and Authentication” 
to configure your external server.