A default group policy named Dflt GrpPolicy always exists on the security appliance

firewall(config)#

group-policy {name internal [from group-policy name]}

fw1(config)# group-policy training internal

© 2005 Cisco Systems, Inc. All rights reserved.SNPA v4.0—12-25

A default group policy, named DfltGrpPolicy, always exists on the security appliance. The syntax for this command is as follows:

group-policy {name internal [from group-policy name]} group-policy {name external server-group server group password server password}

external server-group server group

Specifies the group policy as external and identifies the AAA server group for the security appliance to query for attributes

from group-policy name

Initializes the attributes of this internal group policy to the values of a preexisting group policy

internal

Identifies the group policy as internal

name

Specifies the name of the group policy

password server password

Provides the password to use when retrieving attributes from the external AAA server group

The DfltGrpPolicy has these values:

Attribute

Default Value

wins-server

none

dns-server

none

vpn-access-hours

unrestricted

vpn-simultaneous-logins

3

vpn-idle-timeout

30 minutes

vpn-session-timeout

none

vpn-filter

none

ip-comp

disable

re-xauth

disable

group-lock

none

pfs

disable

client-access-rules

none

banner

none

password-storage

disabled

ipsec-udp

disabled

ipsec-udp-port

10000

backup-servers

keep-client-config

split-tunnel-policy

tunnelall

split-tunnel-network-list

none

default-domain

none

split-dns

none

client-firewall

none

secure-unit-authentication

disabled

user-authentication

disabled

user-authentication-idle-timeout

none

ip-phone-bypass

disabled

leap-bypass

disabled

nem

disabled

group-policy attributes Command

• Use the group-policy attributes command in global configuration mode to enter the group-policy attributes submode.

firewall(config)#

group-policy {name} attributes

fw1(config)# group-policy training attributes

fw1(config-group-policy)#

©

2005 Cisco Systems, Inc. All rights reservecl.SNPA v4.0—12

26

You can modify the group policy attributes by entering the attributes subcommand mode, then entering the commands to modify the desired policy for the group.

The syntax for this command is as follows:

group-policy {name} attributes name

Specifies the name of the group policy.

The following extensive list of attributes can be configured:

■ wins-server—Sets the IP address of the primary and secondary WINS servers

■ dns-server—Sets the IP address of the primary and secondary DNS servers

■ vpn-access-hours—Associates a group policy with a configured time-range policy

■ vpn-simultaneous-logins—Configures the number of simultaneous logins that are permitted for a user

■ vpn-idle-timeout—Configures a user timeout period

■ vpn-session-timeout—Configures a maximum amount of time for VPN connections

■ vpn-filter—Specifies the name of the ACL to use for VPN connections

■ vpn-tunnel-protocol—Configures a VPN tunnel type (IPSec or WebVPN)

■ ip-comp—Enables LZS IP compression

■ re-xauth—Requires that users reauthenticate on IKE rekey

■ group-lock—Restricts remote users to access through the tunnel group only

■ client-access-rules—Configures rules that limit the remote access client types and versions that can connect via IPSec

■ banner—Displays a banner, or welcome text, on remote clients when they connect

■ password-storage—Let users store their login passwords on the client system

■ ipsec-udp—Enables IPSec over UDP

■ ipsec-udp-port—Sets a UDP port number for IPSec over UDP

■ backup-servers—Configures backup servers

■ split-tunnel-policy—Sets a split tunneling policy

■ split-tunnel-network-list—Creates a network list for split tunneling

■ default-domain—Sets a default domain name for users of the group policy

■ split-dns—Enters a list of domains to be resolved through the split tunnel

■ intercept-dhcp—Enables Dynamic Host Configuration Protocol (DHCP) Intercept

■ client-firewall—Sets personal firewall policies that the security appliance pushes to the VPN Client during IKE tunnel negotiation

■ secure-unit-authentication—Enables secure unit authentication

■ user-authentication—Enables user authentication

■ user-authentication-idle-timeout—Sets an idle timeout for individual users behind hardware clients

■ ip-phone-bypass—Enables IP Phone Bypass

■ leap-bypass—Enables Light Extensible Authentication Protocol (LEAP) Bypass

■ nem—Enables network extension mode for hardware clients

Was this article helpful?

0 0

Post a comment