Overview of Connection Profiles, Group Policies, and Users
Groups and users are core concepts in managing the security of virtual private networks (VPNs) and in configuring the ASA. They specify attributes that determine user access to and use of the VPN. A group is a collection of users treated as a single entity. Users get their attributes from group policies. A connection profile identifies the group policy for a specific connection. If you do not assign a particular group policy to a user, the default group policy for the connection applies.
In summary, you first configure connection profiles to set the values for the connection. Then you configure group policies. These set values for users in the aggregate. Then you configure users, which can inherit values from groups and configure certain values on an individual user basis. This chapter describes how and why to configure these entities.
Note |
You configure connection profiles using tunnel-group commands. In this chapter, the terms “connection profile” and “tunnel group” are often used interchangeably. |
Connection profiles and group policies simplify system management. To streamline the configuration task, the ASA provides a default LAN-to-LAN connection profile (DefaultL2Lgroup), a default remote access connection profile for IKEv2 VPN (DefaultRAgroup), a default connection profile for Clientless SSL and AnyConnect SSL connections (DefaultWEBVPNgroup), and a default group policy (DfltGrpPolicy). The default connection profiles and group policy provide settings are likely to be common for many users. As you add users, you can specify that they “inherit” parameters from a group policy. Thus you can quickly configure VPN access for large numbers of users.
If you decide to grant identical rights to all VPN users, then you do not need to configure specific connection profiles or group policies, but VPNs seldom work that way. For example, you might allow a finance group to access one part of a private network, a customer support group to access another part, and an MIS group to access other parts. In addition, you might allow specific users within MIS to access systems that other MIS users cannot access. Connection profiles and group policies provide the flexibility to do so securely.
Note |
The ASA also includes the concept of object groups, which are a superset of network lists. Object groups let you define VPN access to ports as well as networks. Object groups relate to ACLs rather than to group policies and connection profiles. For more information about using object groups, see Chapter 20, "Objects" in the general operations configuration guide. |
The security appliance can apply attribute values from a variety of sources. It applies them according to the following hierarchy:
-
Dynamic Access Policy (DAP) record
-
Username
-
Group policy
-
Group policy for the connection profile
-
Default group policy
Therefore, DAP values for an attribute have a higher priority than those configured for a user, group policy, or connection profile.
When you enable or disable an attribute for a DAP record, the ASA applies that value and enforces it. For example, when you disable HTTP proxy in dap webvpn configuration mode, the ASA looks no further for a value. When you instead use the no value for the http-proxy command, the attribute is not present in the DAP record, so the security appliance moves down to the AAA attribute in the username, and if necessary, to the group policy and finds a value to apply. The ASA clientless SSL VPN configuration supports only one http-proxy and one https-proxy command each. We recommend that you use ASDM to configure DAP.