Filter
Top Products
C-2
Cisco ASDM User Guide
OL-16647-01
Appendix C Configuring an External Server for Authorization and Authentication
Understanding Policy Enforcement of Permissions and Attributes
Understanding Policy Enforcement of Permissions and
Attributes
The security appliance supports several methods of applying user authorization attributes (also called
user entitlements or permissions) to VPN connections. You can configure the security appliance to
obtain user attributes from a Dynamic Access Policy (DAP) on the security appliance, from an external
authentication and/or authorization AAA server (RADIUS or LDAP), from a group policy on the
security appliance, or from all three.
If the security appliance receives attributes from all sources, the attributes are evaluated, merged, and
applied to the user policy. If there are conflicts between attributes coming from the DAP, the AAA server,
or the group policy, those attributes obtained from the DAP always take precedence.
The security appliance applies attributes in the following order (also illustrated in Figure C-1:
1. DAP attributes on the security appliance—Introduced in Version 8.0, take precedence over all
others. If you set a bookmark/URL list in DAP, it overrides a bookmark/URL list set in the group
policy.
2. User attributes on the AAA server—The server returns these after successful user authentication
and/or authorization. Do not confuse these with attributes that are set for individual users in the local
AAA database on the security appliance (User Accounts in ASDM).
3. Group policy configured on the security appliance—If a RADIUS server returns the value of the
RADIUS CLASS attribute IETF-Class-25 (OU=<group-policy>) for the user, the security appliance
places the user in the group policy of the same name and enforces any attributes in the group policy
that are not returned by the server. For LDAP servers, any attribute name can be used to set the group
policy for the session. The LDAP attribute map you configure on the security appliance maps the
LDAP attribute to the Cisco attribute IETF-Radius-Class.
4. Group policy assigned by the Connection Profile (called tunnel-group in CLI)—The Connection
Profile has the preliminary settings for the connection, and includes a default group policy applied
to the user before authentication. All users connecting to the security appliance initially belong to
this group which provides any attributes that are missing from the DAP, user attributes returned by
the server, or the group policy assigned to the user.
5. Default group policy assigned by the security appliance (DfltGrpPolicy)—System default attributes
provide any values that are missing from the DAP, user attributes, group policy, or connection
profile.